Techniques
Sample rules
Suspicious Non-Browser Network Communication With Google API
- source: sigma
- technicques:
- t1102
Description
Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_brave:
Image|endswith: \brave.exe
filter_optional_chrome:
Image|endswith:
- :\Program Files\Google\Chrome\Application\chrome.exe
- :\Program Files (x86)\Google\Chrome\Application\chrome.exe
filter_optional_edge_1:
- Image|contains: :\Program Files (x86)\Microsoft\EdgeWebView\Application\
- Image|endswith:
- :\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
- :\Program Files\Microsoft\Edge\Application\msedge.exe
- \WindowsApps\MicrosoftEdge.exe
filter_optional_edge_2:
Image|contains:
- :\Program Files (x86)\Microsoft\EdgeCore\
- :\Program Files\Microsoft\EdgeCore\
Image|endswith:
- \msedge.exe
- \msedgewebview2.exe
filter_optional_firefox:
Image|endswith:
- :\Program Files\Mozilla Firefox\firefox.exe
- :\Program Files (x86)\Mozilla Firefox\firefox.exe
filter_optional_google_drive:
Image|contains: :\Program Files\Google\Drive File Stream\
Image|endswith: \GoogleDriveFS.exe
filter_optional_googleupdate:
Image|endswith: \GoogleUpdate.exe
filter_optional_ie:
Image|endswith:
- :\Program Files (x86)\Internet Explorer\iexplore.exe
- :\Program Files\Internet Explorer\iexplore.exe
filter_optional_maxthon:
Image|endswith: \maxthon.exe
filter_optional_opera:
Image|endswith: \opera.exe
filter_optional_outlook.exe:
Image|endswith: \outlook.exe
filter_optional_safari:
Image|endswith: \safari.exe
filter_optional_seamonkey:
Image|endswith: \seamonkey.exe
filter_optional_teams:
Image|endswith: \teams.exe
filter_optional_vivaldi:
Image|endswith: \vivaldi.exe
filter_optional_whale:
Image|endswith: \whale.exe
selection:
DestinationHostname|contains:
- drive.googleapis.com
- oauth2.googleapis.com
- sheets.googleapis.com
- www.googleapis.com