Suspicious File Downloaded from Google Drive

edit

Suspicious File Downloaded from Google Drive

edit

Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint*
  • logs-system.security*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • OS: Windows
  • OS: macOS
  • Use Case: Threat Detection
  • Tactic: Command and Control

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where

    /* common browser processes  */
    event.action in ("exec", "fork", "start") and

    process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable",
                    "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe",
                    "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox",
                    "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and

    /* Look for Google Drive download URL with AV flag skipping */
    (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")

Framework: MITRE ATT&CKTM