Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New hunt] A sensitive canary file was accessed in Google Workspace #4125

Open
brokensound77 opened this issue Oct 2, 2024 · 0 comments
Open

Comments

@brokensound77
Copy link
Contributor

Description

A known sensitive canary file was accessed in Google Workspace, indicating attempts to access sensitive information or files without proper permissions.

This would require the prerequisite step of strategically naming and placing the canary files in locations that are deemed the most vulnerable (or interesting). Ideally, this would be a rule vs a hunt, however, because of the unique nature of all environments and canary naming patterns, it is not easily done via a prebuilt rule.

Where this get's really interesting - expanding beyond this rule

To take this detection even further, an accompanying OSQuery and/or YARA signature can be created to detect when the file downloaded or opened

Steps:

  1. create this hunt (or better, custom rule), defining sensitive file name, path, or other criteria
  2. (optionally) create an OSQuery recurring search to detect it on name or hash
SELECT * 
FROM file_events 
WHERE action = 'opened' 
AND (
    target_path IN (
        'C:\\path\\to\\your\\sensitive.doc',       -- Windows path
        '/path/to/your/sensitive.doc',               -- Linux path
        '/path/to/your/sensitive.doc'                -- macOS path
    ) 
    OR 
    sha256 = '<computed_hash_value>' 
);
  1. (optionally) create an OSQuery recurring search to run a YARA scan and write a YARA signature to look for identifying patterns

Target Huntset

google_workspace

Target hunt Type

ES|QL

Query

from logs-google_workspace* 
| where file.name == "*" or file.name is not null and event.action in ("view", "download") and 
  (
    //expand to canary patterns
    file.name in ("known", "canary", "pattterns")
  )
| stats files=count(*) by file.name, user.email, event.action
| sort files asc

Related issues or PRs

No response

References

No response

Redacted Example Data

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant