Suspicious Non-Browser Network Communication With Google API

calendarMay 3, 2023 · attack.command_and_control attack.t1102  ·
Share on: linkedincopy

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

Sigma rule (View on GitHub)

 1title: Suspicious Non-Browser Network Communication With Google API
 2id: 7e9cf7b6-e827-11ed-a05b-0242ac120003
 3status: experimental
 4description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
 5references:
 6    - https://github.com/looCiprian/GC2-sheet
 7    - https://youtu.be/n2dFlSaBBKo
 8    - https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf
 9    - https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/
10    - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
11author: Gavin Knapp
12date: 2023/05/01
13tags:
14    - attack.command_and_control
15    - attack.t1102
16logsource:
17    product: windows
18    category: network_connection
19detection:
20    selection:
21        DestinationHostname|contains:  # Other googleapis should be added as the GC2 tool evolves
22            - 'oauth2.googleapis.com'
23            - 'sheets.googleapis.com'
24            - 'drive.googleapis.com'
25            - 'www.googleapis.com'
26    filter_optional_brave:
27        Image|endswith: '\brave.exe'
28    filter_optional_chrome:
29        Image:
30            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
31            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
32    filter_optional_google_drive:
33        Image|startswith:
34            - 'C:\Program Files\Google\Drive File Stream\'
35            - 'C:\Program Files\Google\Drive File Stream\*\GoogleDriveFS.exe'
36    filter_optional_firefox:
37        Image:
38            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
39            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
40    filter_optional_ie:
41        Image:
42            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
43            - 'C:\Program Files\Internet Explorer\iexplore.exe'
44    filter_optional_maxthon:
45        Image|endswith: '\maxthon.exe'
46    filter_optional_edge_1:
47        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
48        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
49        - Image:
50            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
51            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
52    filter_optional_edge_2:
53        Image|startswith:
54            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
55            - 'C:\Program Files\Microsoft\EdgeCore\'
56        Image|endswith:
57            - '\msedge.exe'
58            - '\msedgewebview2.exe'
59    filter_optional_opera:
60        Image|endswith: '\opera.exe'
61    filter_optional_safari:
62        Image|endswith: '\safari.exe'
63    filter_optional_seamonkey:
64        Image|endswith: '\seamonkey.exe'
65    filter_optional_vivaldi:
66        Image|endswith: '\vivaldi.exe'
67    filter_optional_whale:
68        Image|endswith: '\whale.exe'
69    filter_optional_googleupdate:
70        Image|endswith: '\GoogleUpdate.exe'
71    filter_optional_outlook.exe:
72        Image|endswith: '\outlook.exe'
73    filter_optional_teams:
74        Image|endswith: '\teams.exe'
75    condition: selection and not 1 of filter_optional_*
76falsepositives:
77    - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.
78level: medium

Related rules

to-top