Suspicious Non-Browser Network Communication With Google API

calendar Feb 22, 2025 · attack.command-and-control attack.t1102  ·
Share on: linkedin copy

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

Sigma rule (View on GitHub)

 1title: Suspicious Non-Browser Network Communication With Google API
 2id: 7e9cf7b6-e827-11ed-a05b-0242ac120003
 3status: experimental
 4description: |
 5        Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
 6references:
 7    - https://github.com/looCiprian/GC2-sheet
 8    - https://youtu.be/n2dFlSaBBKo
 9    - https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf
10    - https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/
11    - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
12author: Gavin Knapp
13date: 2023-05-01
14modified: 2025-02-22
15tags:
16    - attack.command-and-control
17    - attack.t1102
18logsource:
19    product: windows
20    category: network_connection
21detection:
22    selection:
23        DestinationHostname|contains:
24            # Note: Please add additional google API related domains that might be abused.
25            - 'drive.googleapis.com'
26            - 'oauth2.googleapis.com'
27            - 'sheets.googleapis.com'
28            - 'www.googleapis.com'
29    filter_optional_brave:
30        Image|endswith: '\brave.exe'
31    filter_optional_chrome:
32        Image|endswith:
33            - ':\Program Files\Google\Chrome\Application\chrome.exe'
34            - ':\Program Files (x86)\Google\Chrome\Application\chrome.exe'
35    filter_optional_google_drive:
36        Image|contains: ':\Program Files\Google\Drive File Stream\'
37        Image|endswith: '\GoogleDriveFS.exe'
38    filter_optional_firefox:
39        Image|endswith:
40            - ':\Program Files\Mozilla Firefox\firefox.exe'
41            - ':\Program Files (x86)\Mozilla Firefox\firefox.exe'
42    filter_optional_ie:
43        Image|endswith:
44            - ':\Program Files (x86)\Internet Explorer\iexplore.exe'
45            - ':\Program Files\Internet Explorer\iexplore.exe'
46    filter_optional_maxthon:
47        Image|endswith: '\maxthon.exe'
48    filter_optional_edge_1:
49        - Image|contains: ':\Program Files (x86)\Microsoft\EdgeWebView\Application\'
50        - Image|endswith:
51              - ':\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
52              - ':\Program Files\Microsoft\Edge\Application\msedge.exe'
53              - '\WindowsApps\MicrosoftEdge.exe'
54    filter_optional_edge_2:
55        Image|contains:
56            - ':\Program Files (x86)\Microsoft\EdgeCore\'
57            - ':\Program Files\Microsoft\EdgeCore\'
58        Image|endswith:
59            - '\msedge.exe'
60            - '\msedgewebview2.exe'
61    filter_optional_opera:
62        Image|endswith: '\opera.exe'
63    filter_optional_safari:
64        Image|endswith: '\safari.exe'
65    filter_optional_seamonkey:
66        Image|endswith: '\seamonkey.exe'
67    filter_optional_vivaldi:
68        Image|endswith: '\vivaldi.exe'
69    filter_optional_whale:
70        Image|endswith: '\whale.exe'
71    filter_optional_googleupdate:
72        Image|endswith: '\GoogleUpdate.exe'
73    filter_optional_outlook_exe:
74        Image|endswith: '\outlook.exe'
75    filter_main_null:
76        Image: null
77    filter_main_empty:
78        Image: ''
79    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
80falsepositives:
81    - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.
82level: medium

References

Related rules

to-top