Suspicious Non-Browser Network Communication With Google API

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

Sigma rule (View on GitHub)

 1title: Suspicious Non-Browser Network Communication With Google API
 2id: 7e9cf7b6-e827-11ed-a05b-0242ac120003
 3status: experimental
 4description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
 5references:
 6    - https://github.com/looCiprian/GC2-sheet
 7    - https://youtu.be/n2dFlSaBBKo
 8    - https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf
 9    - https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/
10    - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
11author: Gavin Knapp
12date: 2023/05/01
13modified: 2023/11/03
14tags:
15    - attack.command_and_control
16    - attack.t1102
17logsource:
18    product: windows
19    category: network_connection
20detection:
21    selection:
22        DestinationHostname|contains:  # Other googleapis should be added as the GC2 tool evolves
23            - 'oauth2.googleapis.com'
24            - 'sheets.googleapis.com'
25            - 'drive.googleapis.com'
26            - 'www.googleapis.com'
27    filter_optional_brave:
28        Image|endswith: '\brave.exe'
29    filter_optional_chrome:
30        Image|endswith:
31            - ':\Program Files\Google\Chrome\Application\chrome.exe'
32            - ':\Program Files (x86)\Google\Chrome\Application\chrome.exe'
33    filter_optional_google_drive:
34        Image|contains: ':\Program Files\Google\Drive File Stream\'
35        Image|endswith: '\GoogleDriveFS.exe'
36    filter_optional_firefox:
37        Image|endswith:
38            - ':\Program Files\Mozilla Firefox\firefox.exe'
39            - ':\Program Files (x86)\Mozilla Firefox\firefox.exe'
40    filter_optional_ie:
41        Image|endswith:
42            - ':\Program Files (x86)\Internet Explorer\iexplore.exe'
43            - ':\Program Files\Internet Explorer\iexplore.exe'
44    filter_optional_maxthon:
45        Image|endswith: '\maxthon.exe'
46    filter_optional_edge_1:
47        - Image|contains: ':\Program Files (x86)\Microsoft\EdgeWebView\Application\'
48        - Image|endswith:
49              - ':\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
50              - ':\Program Files\Microsoft\Edge\Application\msedge.exe'
51              - '\WindowsApps\MicrosoftEdge.exe'
52    filter_optional_edge_2:
53        Image|contains:
54            - ':\Program Files (x86)\Microsoft\EdgeCore\'
55            - ':\Program Files\Microsoft\EdgeCore\'
56        Image|endswith:
57            - '\msedge.exe'
58            - '\msedgewebview2.exe'
59    filter_optional_opera:
60        Image|endswith: '\opera.exe'
61    filter_optional_safari:
62        Image|endswith: '\safari.exe'
63    filter_optional_seamonkey:
64        Image|endswith: '\seamonkey.exe'
65    filter_optional_vivaldi:
66        Image|endswith: '\vivaldi.exe'
67    filter_optional_whale:
68        Image|endswith: '\whale.exe'
69    filter_optional_googleupdate:
70        Image|endswith: '\GoogleUpdate.exe'
71    filter_optional_outlook.exe:
72        Image|endswith: '\outlook.exe'
73    filter_optional_teams:
74        Image|endswith: '\teams.exe'
75    condition: selection and not 1 of filter_optional_*
76falsepositives:
77    - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.
78level: medium

References

Related rules

to-top