approved third-party applications that use google drive download urls.

t1105
cross-platform
elastic

Techniques

T1105

Sample rules

Suspicious File Downloaded from Google Drive

source: elastic
technicques:
- T1105

Description

Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.

Detection logic

process where

    /* common browser processes  */
    event.action in ("exec", "fork", "start") and

    process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable",
                    "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe",
                    "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox",
                    "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and

    /* Look for Google Drive download URL with AV flag skipping */
    (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*")