Suspicious Non-Browser Network Communication With Google API

Severity: medium
Author: Gavin Knapp
Source: upstream

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1102` Web Service

Event coverage

Provider	Event ID	Title
Sysmon	3	Network connection

Stages and Predicates

Stage 1: `selection`

or:
DestinationHostname|contains: drive.googleapis.com
DestinationHostname|contains: oauth2.googleapis.com
DestinationHostname|contains: sheets.googleapis.com
DestinationHostname|contains: www.googleapis.com

Stage 2: `not 1 of filter_main_*`

or:
Image: ''
Image: null

Stage 3: `not 1 of filter_optional_*`

or:
or:
Image|endswith: '\msedge.exe'
Image|endswith: '\msedgewebview2.exe'
or:
Image|contains: ':\Program Files (x86)\Microsoft\EdgeCore\'
Image|contains: ':\Program Files\Microsoft\EdgeCore\'
Image|endswith: '\GoogleDriveFS.exe'
Image|contains: ':\Program Files\Google\Drive File Stream\'
Image|endswith: ':\Program Files (x86)\Google\Chrome\Application\chrome.exe'
Image|endswith: ':\Program Files (x86)\Internet Explorer\iexplore.exe'
Image|endswith: ':\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
Image|endswith: ':\Program Files (x86)\Mozilla Firefox\firefox.exe'
Image|endswith: ':\Program Files\Google\Chrome\Application\chrome.exe'
Image|endswith: ':\Program Files\Internet Explorer\iexplore.exe'
Image|endswith: ':\Program Files\Microsoft\Edge\Application\msedge.exe'
Image|endswith: ':\Program Files\Mozilla Firefox\firefox.exe'
Image|endswith: '\GoogleUpdate.exe'
Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
Image|endswith: '\brave.exe'
Image|endswith: '\maxthon.exe'
Image|endswith: '\opera.exe'
Image|endswith: '\outlook.exe'
Image|endswith: '\safari.exe'
Image|endswith: '\seamonkey.exe'
Image|endswith: '\vivaldi.exe'
Image|endswith: '\whale.exe'
Image|contains: ':\Program Files (x86)\Microsoft\EdgeWebView\Application\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`DestinationHostname`	match	`drive.googleapis.com` `oauth2.googleapis.com` `sheets.googleapis.com` `www.googleapis.com`
`Image`	ends_with	`:\Program Files (x86)\Google\Chrome\Application\chrome.exe` `:\Program Files (x86)\Internet Explorer\iexplore.exe` `:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe` `:\Program Files (x86)\Mozilla Firefox\firefox.exe` `:\Program Files\Google\Chrome\Application\chrome.exe` `:\Program Files\Internet Explorer\iexplore.exe` `:\Program Files\Microsoft\Edge\Application\msedge.exe` `:\Program Files\Mozilla Firefox\firefox.exe` `\GoogleDriveFS.exe` `\GoogleUpdate.exe` `\WindowsApps\MicrosoftEdge.exe` corpus 12 (sigma 12) `\brave.exe` corpus 20 (sigma 20) `\maxthon.exe` corpus 13 (sigma 13) `\msedge.exe` corpus 22 (sigma 22) `\msedgewebview2.exe` corpus 15 (sigma 15) `\opera.exe` corpus 21 (sigma 21) `\outlook.exe` corpus 16 (sigma 16) `\safari.exe` corpus 12 (sigma 12) `\seamonkey.exe` corpus 13 (sigma 13) `\vivaldi.exe` corpus 19 (sigma 19) `\whale.exe` corpus 12 (sigma 12)
`Image`	match	`:\Program Files (x86)\Microsoft\EdgeCore\` `:\Program Files (x86)\Microsoft\EdgeWebView\Application\` `:\Program Files\Google\Drive File Stream\` `:\Program Files\Microsoft\EdgeCore\`