Google Calendar C2 via Script Interpreter

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/01/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects a two-stage Google Calendar C2 pattern where a scripting runtime (Node.js, Python, osascript) first 
 11connects to calendar.app.google to retrieve a hidden C2 address, then initiates a secondary connection to the 
 12decoded C2 host. This sequence is characteristic of packages using Unicode steganography in Google Calendar 
 13events to stage dynamic command-and-control endpoints.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.network-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Google Calendar C2 via Script Interpreter"
 20references = [
 21    "https://www.veracode.com/resources/sophisticated-npm-attack-leveraging-unicode-steganography-and-google-calendar-c2",
 22    "https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
 23]
 24risk_score = 73
 25rule_id = "abc7a2be-479e-428b-b0b3-1d22bda46dd9"
 26severity = "high"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: macOS",
 30    "Use Case: Threat Detection",
 31    "Tactic: Command and Control",
 32    "Tactic: Execution",
 33    "Data Source: Elastic Defend",
 34    "Resources: Investigation Guide"
 35]
 36type = "eql"
 37note = """## Triage and analysis
 38
 39> **Disclaimer**:
 40> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 41
 42### Investigating Google Calendar C2 via Script Interpreter
 43
 44Threat actors increasingly abuse legitimate cloud services to establish covert command and control channels that blend with normal traffic and bypass traditional network security controls. Google Calendar has been weaponized as a C2 mechanism where attackers store encoded commands in calendar event descriptions, which malware then polls and executes. This detection rule identifies script interpreters connecting to Google Calendar API endpoints, which may indicate this living-off-the-land technique.
 45
 46### Possible investigation steps
 47
 48- Review the process.name and process.executable fields to identify which script interpreter is making the Google Calendar API connection and assess whether it is expected for the user or application context.
 49- Examine the process.command_line and process.args fields to understand what script or code is being executed that initiated the calendar connection.
 50- Check the process.parent.executable and process.parent.command_line to trace the process lineage and identify how the script interpreter was launched.
 51- Investigate the Google Workspace audit logs for the associated user account to review calendar events that may contain encoded commands or suspicious content.
 52- Review network connection details including dns.question.name and destination.ip to understand the specific Google API endpoints being accessed.
 53- Correlate with authentication events to identify which user account or service account OAuth tokens are being used for the calendar access.
 54- Search for similar activity across other endpoints to determine if this is an isolated incident or part of a broader campaign.
 55
 56### False positive analysis
 57
 58- Legitimate productivity applications may integrate with Google Calendar for scheduling and automation purposes. Verify the application's purpose and whether it is approved by IT.
 59- Custom automation scripts built by employees may access Google Calendar API for workflow automation. Review with the script owner to confirm legitimacy.
 60- Development and testing environments may trigger this detection when building calendar integrations. Document known development activities and create targeted exceptions.
 61- Third-party calendar sync applications may use script interpreters to interface with Google Calendar. Verify these are sanctioned applications.
 62
 63### Response and remediation
 64
 65- Immediately terminate the suspicious script interpreter process to stop any ongoing C2 communication.
 66- Revoke OAuth tokens and API credentials associated with the compromised Google account to prevent further unauthorized access.
 67- Review Google Workspace admin console for any unauthorized calendar events or modifications that may contain malicious content.
 68- Isolate the affected macOS system from the network while conducting forensic analysis.
 69- Perform a comprehensive scan for additional malware, persistence mechanisms, or lateral movement indicators.
 70- Reset the affected user's credentials and enable multi-factor authentication if not already in place.
 71- Implement application allowlisting to prevent unauthorized script interpreters from executing.
 72- Escalate to the security operations team for further investigation into potential data exfiltration or broader compromise.
 73"""
 74query = '''
 75sequence by process.entity_id with maxspan=20s
 76  [network where host.os.type == "macos" and event.type == "start" and
 77    (process.name in ("node", "osascript") or process.name like "python*" or
 78     process.code_signature.trusted == false or process.code_signature.exists == false) and
 79    destination.domain like "calendar.app.google*"]
 80  [network where host.os.type == "macos" and event.type == "start" and destination.domain == null]
 81'''
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85
 86  [rule.threat.tactic]
 87  name = "Command and Control"
 88  id = "TA0011"
 89  reference = "https://attack.mitre.org/tactics/TA0011/"
 90
 91  [[rule.threat.technique]]
 92  name = "Web Service"
 93  id = "T1102"
 94  reference = "https://attack.mitre.org/techniques/T1102/"
 95
 96    [[rule.threat.technique.subtechnique]]
 97    name = "Bidirectional Communication"
 98    id = "T1102.002"
 99    reference = "https://attack.mitre.org/techniques/T1102/002/"
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103
104  [rule.threat.tactic]
105  name = "Execution"
106  id = "TA0002"
107  reference = "https://attack.mitre.org/tactics/TA0002/"
108
109  [[rule.threat.technique]]
110  name = "Command and Scripting Interpreter"
111  id = "T1059"
112  reference = "https://attack.mitre.org/techniques/T1059/"
113
114    [[rule.threat.technique.subtechnique]]
115    name = "Python"
116    id = "T1059.006"
117    reference = "https://attack.mitre.org/techniques/T1059/006/"
118
119    [[rule.threat.technique.subtechnique]]
120    name = "JavaScript"
121    id = "T1059.007"
122    reference = "https://attack.mitre.org/techniques/T1059/007/"