Potentially Suspicious Network Connection To Notion API
Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
Sigma rule (View on GitHub)
1title: Potentially Suspicious Network Connection To Notion API
2id: 7e9cf7b6-e827-11ed-a05b-15959c120003
3status: test
4description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
5references:
6 - https://github.com/mttaggart/OffensiveNotion
7 - https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332
8author: Gavin Knapp
9date: 2023/05/03
10tags:
11 - attack.command_and_control
12 - attack.t1102
13logsource:
14 product: windows
15 category: network_connection
16detection:
17 selection:
18 DestinationHostname|contains: 'api.notion.com'
19 filter_main_notion:
20 Image|endswith: '\AppData\Local\Programs\Notion\Notion.exe'
21 filter_main_brave:
22 Image|endswith: '\brave.exe'
23 filter_main_chrome:
24 Image:
25 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
26 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
27 filter_main_firefox:
28 Image:
29 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
30 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
31 filter_main_ie:
32 Image:
33 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
34 - 'C:\Program Files\Internet Explorer\iexplore.exe'
35 filter_main_maxthon:
36 Image|endswith: '\maxthon.exe'
37 filter_main_edge_1:
38 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
39 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
40 - Image:
41 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
42 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
43 filter_main_edge_2:
44 Image|startswith:
45 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
46 - 'C:\Program Files\Microsoft\EdgeCore\'
47 Image|endswith:
48 - '\msedge.exe'
49 - '\msedgewebview2.exe'
50 filter_main_opera:
51 Image|endswith: '\opera.exe'
52 filter_main_safari:
53 Image|endswith: '\safari.exe'
54 filter_main_seamonkey:
55 Image|endswith: '\seamonkey.exe'
56 filter_main_vivaldi:
57 Image|endswith: '\vivaldi.exe'
58 filter_main_whale:
59 Image|endswith: '\whale.exe'
60 condition: selection and not 1 of filter_main_*
61falsepositives:
62 - Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.
63level: low
References
Related rules
- Communication To Ngrok Tunneling Service Initiated
- Potential Dead Drop Resolvers
- Suspicious Non-Browser Network Communication With Google API
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution