Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as “OffensiveNotion C2”
title: Potentially Suspicious Network Connection To Notion API
id: 7e9cf7b6-e827-11ed-a05b-15959c120003
status: test
description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
references:
- https://github.com/mttaggart/OffensiveNotion
- https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332
author: Gavin Knapp
date: 2023-05-03
tags:
- attack.command-and-control
- attack.t1102
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains: 'api.notion.com'
filter_main_notion:
Image|endswith: '\AppData\Local\Programs\Notion\Notion.exe'
filter_main_brave:
Image|endswith: '\brave.exe'
filter_main_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_main_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_main_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_main_maxthon:
Image|endswith: '\maxthon.exe'
filter_main_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_main_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_main_opera:
Image|endswith: '\opera.exe'
filter_main_safari:
Image|endswith: '\safari.exe'
filter_main_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_main_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_main_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.
level: low
imNetworkSession
| where DstHostname contains "api.notion.com" and (not(((SrcProcessName endswith "\\AppData\\Local\\Programs\\Notion\\Notion.exe" or DstProcessName endswith "\\AppData\\Local\\Programs\\Notion\\Notion.exe") or (SrcProcessName endswith "\\brave.exe" or DstProcessName endswith "\\brave.exe") or ((SrcProcessName in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (DstProcessName in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"))) or ((SrcProcessName in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (DstProcessName in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"))) or ((SrcProcessName in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (DstProcessName in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe"))) or (SrcProcessName endswith "\\maxthon.exe" or DstProcessName endswith "\\maxthon.exe") or ((SrcProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or DstProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\") or (SrcProcessName endswith "\\WindowsApps\\MicrosoftEdge.exe" or DstProcessName endswith "\\WindowsApps\\MicrosoftEdge.exe") or ((SrcProcessName in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe")) or (DstProcessName in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe")))) or (((SrcProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or SrcProcessName startswith "C:\\Program Files\\Microsoft\\EdgeCore\\") or (DstProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or DstProcessName startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) and ((SrcProcessName endswith "\\msedge.exe" or SrcProcessName endswith "\\msedgewebview2.exe") or (DstProcessName endswith "\\msedge.exe" or DstProcessName endswith "\\msedgewebview2.exe"))) or (SrcProcessName endswith "\\opera.exe" or DstProcessName endswith "\\opera.exe") or (SrcProcessName endswith "\\safari.exe" or DstProcessName endswith "\\safari.exe") or (SrcProcessName endswith "\\seamonkey.exe" or DstProcessName endswith "\\seamonkey.exe") or (SrcProcessName endswith "\\vivaldi.exe" or DstProcessName endswith "\\vivaldi.exe") or (SrcProcessName endswith "\\whale.exe" or DstProcessName endswith "\\whale.exe"))))| Sentinel Table | Notes |
|---|---|
imNetworkSession | Ensure this data connector is enabled |