LoFP LoFP / legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. the desktop and browser applications do not appear to be using the api by default unless integrations are configured.

Techniques

Sample rules

Potentially Suspicious Network Connection To Notion API

Description

Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as “OffensiveNotion C2”

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_brave:
  Image|endswith: \brave.exe
filter_main_chrome:
  Image:
  - C:\Program Files\Google\Chrome\Application\chrome.exe
  - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
filter_main_edge_1:
- Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\
- Image|endswith: \WindowsApps\MicrosoftEdge.exe
- Image:
  - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  - C:\Program Files\Microsoft\Edge\Application\msedge.exe
filter_main_edge_2:
  Image|endswith:
  - \msedge.exe
  - \msedgewebview2.exe
  Image|startswith:
  - C:\Program Files (x86)\Microsoft\EdgeCore\
  - C:\Program Files\Microsoft\EdgeCore\
filter_main_firefox:
  Image:
  - C:\Program Files\Mozilla Firefox\firefox.exe
  - C:\Program Files (x86)\Mozilla Firefox\firefox.exe
filter_main_ie:
  Image:
  - C:\Program Files (x86)\Internet Explorer\iexplore.exe
  - C:\Program Files\Internet Explorer\iexplore.exe
filter_main_maxthon:
  Image|endswith: \maxthon.exe
filter_main_notion:
  Image|endswith: \AppData\Local\Programs\Notion\Notion.exe
filter_main_opera:
  Image|endswith: \opera.exe
filter_main_safari:
  Image|endswith: \safari.exe
filter_main_seamonkey:
  Image|endswith: \seamonkey.exe
filter_main_vivaldi:
  Image|endswith: \vivaldi.exe
filter_main_whale:
  Image|endswith: \whale.exe
selection:
  DestinationHostname|contains: api.notion.com