Suspicious Non-Browser Network Communication With Google API
Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
Sigma rule (View on GitHub)
1title: Suspicious Non-Browser Network Communication With Google API
2id: 7e9cf7b6-e827-11ed-a05b-0242ac120003
3status: experimental
4description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
5references:
6 - https://github.com/looCiprian/GC2-sheet
7 - https://youtu.be/n2dFlSaBBKo
8 - https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf
9 - https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/
10 - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
11author: Gavin Knapp
12date: 2023/05/01
13tags:
14 - attack.command_and_control
15 - attack.t1102
16logsource:
17 product: windows
18 category: network_connection
19detection:
20 selection:
21 DestinationHostname|contains: # Other googleapis should be added as the GC2 tool evolves
22 - 'oauth2.googleapis.com'
23 - 'sheets.googleapis.com'
24 - 'drive.googleapis.com'
25 - 'www.googleapis.com'
26 filter_optional_brave:
27 Image|endswith: '\brave.exe'
28 filter_optional_chrome:
29 Image:
30 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
31 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
32 filter_optional_google_drive:
33 Image|startswith:
34 - 'C:\Program Files\Google\Drive File Stream\'
35 - 'C:\Program Files\Google\Drive File Stream\*\GoogleDriveFS.exe'
36 filter_optional_firefox:
37 Image:
38 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
39 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
40 filter_optional_ie:
41 Image:
42 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
43 - 'C:\Program Files\Internet Explorer\iexplore.exe'
44 filter_optional_maxthon:
45 Image|endswith: '\maxthon.exe'
46 filter_optional_edge_1:
47 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
48 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
49 - Image:
50 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
51 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
52 filter_optional_edge_2:
53 Image|startswith:
54 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
55 - 'C:\Program Files\Microsoft\EdgeCore\'
56 Image|endswith:
57 - '\msedge.exe'
58 - '\msedgewebview2.exe'
59 filter_optional_opera:
60 Image|endswith: '\opera.exe'
61 filter_optional_safari:
62 Image|endswith: '\safari.exe'
63 filter_optional_seamonkey:
64 Image|endswith: '\seamonkey.exe'
65 filter_optional_vivaldi:
66 Image|endswith: '\vivaldi.exe'
67 filter_optional_whale:
68 Image|endswith: '\whale.exe'
69 filter_optional_googleupdate:
70 Image|endswith: '\GoogleUpdate.exe'
71 filter_optional_outlook.exe:
72 Image|endswith: '\outlook.exe'
73 filter_optional_teams:
74 Image|endswith: '\teams.exe'
75 condition: selection and not 1 of filter_optional_*
76falsepositives:
77 - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.
78level: medium