Techniques
Sample rules
GSuite Email Suspicious Attachment
- source: splunk
- technicques:
- T1566.001
- T1566
Description
The following analytic detects suspicious attachment file extensions in GSuite emails, potentially indicating a spear-phishing attack. It leverages GSuite Gmail logs to identify emails with attachments having file extensions commonly associated with malware, such as .exe, .bat, and .js. This activity is significant as these file types are often used to deliver malicious payloads, posing a risk of compromising targeted machines. If confirmed malicious, this could lead to unauthorized code execution, data breaches, or further network infiltration.
Detection logic
`gsuite_gmail` "attachment{}.file_extension_type" IN ("pl", "py", "rb", "sh", "bat", "exe", "dll", "cpl", "com", "js", "vbs", "ps1", "reg","swf", "cmd", "go")
| eval phase="plan"
| eval severity="medium"
| stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_email_suspicious_attachment_filter`
Gsuite Outbound Email With Attachment To External Domain
- source: splunk
- technicques:
- T1048.003
- T1048
Description
The following analytic detects outbound emails with attachments sent from an internal email domain to an external domain. It leverages Gsuite Gmail logs, parsing the source and destination email domains, and flags emails with fewer than 20 outbound instances. This activity is significant as it may indicate potential data exfiltration or insider threats. If confirmed malicious, an attacker could use this method to exfiltrate sensitive information, leading to data breaches and compliance violations.
Detection logic
`gsuite_gmail` num_message_attachments > 0
| rex field=source.from_header_address "[^@]+@(?<source_domain>[^@]+)"
| rex field=destination{}.address "[^@]+@(?<dest_domain>[^@]+)"
| where source_domain="internal_test_email.com" and not dest_domain="internal_test_email.com"
| eval phase="plan"
| eval severity="low"
| stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime by dest_domain phase severity
| where numSrcAddresses < 20
|sort - numSrcAddresses
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_outbound_email_with_attachment_to_external_domain_filter`