Suspicious Curl to Google App Script Endpoint

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/01/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the use of curl to a Google Script endpoint for the purpose of downloading a second stage payload 
 11or tool. Threat actors utilize exposed Google Script endpoints to host payloads as Google URLs are 
 12generally whitelisted and bypass security controls.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Suspicious Curl to Google App Script Endpoint"
 19references = [
 20    "https://www.google.com/script/start/",
 21    "https://attack.mitre.org/techniques/T1105/"
 22]
 23risk_score = 73
 24rule_id = "6b82a0ce-10ac-4cb7-8a66-0ba4d24540cf"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: macOS",
 29    "Use Case: Threat Detection",
 30    "Tactic: Command and Control",
 31    "Data Source: Elastic Defend",
 32    "Resources: Investigation Guide"
 33]
 34type = "eql"
 35note = """## Triage and analysis
 36
 37> **Disclaimer**:
 38> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 39
 40### Investigating Suspicious Curl to Google App Script Endpoint
 41
 42Google Apps Script is a cloud-based development platform that allows users to extend Google Workspace functionality with custom scripts. Threat actors abuse this legitimate service to host malicious scripts that serve as command and control endpoints, taking advantage of the trusted domain reputation and SSL certificates. This detection rule identifies curl connections to Google Apps Script endpoints from macOS systems, which may indicate C2 communication or payload retrieval from attacker-controlled scripts.
 43
 44### Possible investigation steps
 45
 46- Review the process.parent.executable and process.command_line fields to understand what application or script initiated the curl request to Google Apps Script.
 47- Extract the full URL from process.args to identify the specific Apps Script deployment being accessed and determine if it belongs to your organization.
 48- Analyze the process.Ext.effective_parent.executable to trace the execution chain and identify the root cause of the suspicious activity.
 49- Check Google Workspace admin logs if available to review the Apps Script deployment and its contents for malicious code.
 50- Investigate the user.name associated with the activity to determine if the behavior aligns with their normal duties.
 51- Review network response data if captured to identify any commands, payloads, or exfiltrated data transmitted via the Apps Script endpoint.
 52- Search for similar curl to Google Apps Script activity across other endpoints to assess the scope of potential compromise.
 53
 54### False positive analysis
 55
 56- Legitimate business automation may use Google Apps Script for workflow integrations. Verify with the script owner and confirm the Apps Script belongs to your organization.
 57- MDM and management tools like Kandji may interact with Google services legitimately. These are already excluded in the query but verify if additional tools should be added.
 58- Marketing and analytics platforms may use Apps Script for data collection. Confirm these are sanctioned business applications.
 59- Development and testing activities may involve Apps Script integrations. Coordinate with development teams to understand expected activities.
 60
 61### Response and remediation
 62
 63- Immediately block the suspicious Google Apps Script URL at the proxy or web filter to prevent ongoing C2 communication.
 64- Terminate the curl process and any parent processes that initiated the suspicious activity.
 65- Isolate the affected macOS system from the network while conducting forensic analysis.
 66- Report the malicious Apps Script to Google through their abuse reporting mechanisms to initiate takedown.
 67- Conduct a thorough scan of the affected system for additional malware, persistence mechanisms, or exfiltrated data.
 68- Review authentication logs for the affected user account and reset credentials if compromise is suspected.
 69- Search for similar activity across the environment to identify additional affected systems.
 70- Implement enhanced monitoring for connections to script.google.com from unexpected applications.
 71"""
 72query = '''
 73sequence by process.entity_id with maxspan=15s
 74  [process where host.os.type == "macos" and event.type == "start" and process.name in ("curl", "nscurl") and
 75    not process.Ext.effective_parent.executable like "/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Library Manager.app/Contents/MacOS/kandji-library-manager"]
 76  [network where host.os.type == "macos" and event.type == "start" and process.name in ("curl", "nscurl") and 
 77    destination.domain in ("script.google.com", "script.google.com.")]
 78'''
 79
 80[[rule.threat]]
 81framework = "MITRE ATT&CK"
 82
 83  [rule.threat.tactic]
 84  name = "Command and Control"
 85  id = "TA0011"
 86  reference = "https://attack.mitre.org/tactics/TA0011/"
 87
 88  [[rule.threat.technique]]
 89  name = "Ingress Tool Transfer"
 90  id = "T1105"
 91  reference = "https://attack.mitre.org/techniques/T1105/"
 92
 93  [[rule.threat.technique]]
 94  name = "Web Service"
 95  id = "T1102"
 96  reference = "https://attack.mitre.org/techniques/T1102/"
 97
 98    [[rule.threat.technique.subtechnique]]
 99    name = "Bidirectional Communication"
100    id = "T1102.002"
101    reference = "https://attack.mitre.org/techniques/T1102/002/"