Sample rules
Gsuite Suspicious Shared File Name
- source: splunk
- technicques:
- T1566.001
- T1566
Description
The following analytic detects shared files in Google Drive with suspicious filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs to identify documents with titles that include keywords like “dhl,” “ups,” “invoice,” and “shipment.” This activity is significant because such filenames are often used to lure users into opening malicious documents or clicking harmful links. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further compromise of the user’s system.
Detection logic
`gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_title" IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "*fedex*", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") parameters.doc_type IN ("document","pdf", "msexcel", "msword", "spreadsheet", "presentation")
| rex field=parameters.owner "[^@]+@(?<source_domain>[^@]+)"
| rex field=parameters.target_user "[^@]+@(?<dest_domain>[^@]+)"
| where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com"
| eval phase="plan"
| eval severity="low"
| stats count min(_time) as firstTime max(_time) as lastTime by email parameters.owner parameters.target_user parameters.doc_title parameters.doc_type phase severity
| rename parameters.target_user AS user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_suspicious_shared_file_name_filter`
Gsuite Email Suspicious Subject With Attachment
- source: splunk
- technicques:
- T1566.001
- T1566
Description
The following analytic identifies Gsuite emails with suspicious subjects and attachments commonly used in spear phishing attacks. It leverages Gsuite email logs, focusing on specific keywords in the subject line and known malicious file types in attachments. This activity is significant for a SOC as spear phishing is a prevalent method for initial compromise, often leading to further malicious actions. If confirmed malicious, this activity could result in unauthorized access, data exfiltration, or further malware deployment, posing a significant risk to the organization’s security.
Detection logic
`gsuite_gmail` num_message_attachments > 0 subject IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "* fedex *", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") attachment{}.file_extension_type IN ("doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "zip", "rar", "html","htm","hta")
| rex field=source.from_header_address "[^@]+@(?<source_domain>[^@]+)"
| rex field=destination{}.address "[^@]+@(?<dest_domain>[^@]+)"
| where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com"
| eval phase="plan"
| eval severity="medium"
| stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size by destination{}.service num_message_attachments subject destination{}.address source.address phase severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_email_suspicious_subject_with_attachment_filter`