Potentially Suspicious Network Connection To Notion API

calendar Mar 1, 2024 · attack.command_and_control attack.t1102  ·
Share on: linkedin copy

Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Network Connection To Notion API
 2id: 7e9cf7b6-e827-11ed-a05b-15959c120003
 3status: test
 4description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
 5references:
 6    - https://github.com/mttaggart/OffensiveNotion
 7    - https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332
 8author: Gavin Knapp
 9date: 2023/05/03
10tags:
11    - attack.command_and_control
12    - attack.t1102
13logsource:
14    product: windows
15    category: network_connection
16detection:
17    selection:
18        DestinationHostname|contains: 'api.notion.com'
19    filter_main_notion:
20        Image|endswith: '\AppData\Local\Programs\Notion\Notion.exe'
21    filter_main_brave:
22        Image|endswith: '\brave.exe'
23    filter_main_chrome:
24        Image:
25            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
26            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
27    filter_main_firefox:
28        Image:
29            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
30            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
31    filter_main_ie:
32        Image:
33            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
34            - 'C:\Program Files\Internet Explorer\iexplore.exe'
35    filter_main_maxthon:
36        Image|endswith: '\maxthon.exe'
37    filter_main_edge_1:
38        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
39        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
40        - Image:
41              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
42              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
43    filter_main_edge_2:
44        Image|startswith:
45            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
46            - 'C:\Program Files\Microsoft\EdgeCore\'
47        Image|endswith:
48            - '\msedge.exe'
49            - '\msedgewebview2.exe'
50    filter_main_opera:
51        Image|endswith: '\opera.exe'
52    filter_main_safari:
53        Image|endswith: '\safari.exe'
54    filter_main_seamonkey:
55        Image|endswith: '\seamonkey.exe'
56    filter_main_vivaldi:
57        Image|endswith: '\vivaldi.exe'
58    filter_main_whale:
59        Image|endswith: '\whale.exe'
60    condition: selection and not 1 of filter_main_*
61falsepositives:
62    - Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.
63level: low

References

Related rules

to-top