← Back to SOC feed Coverage →

Suspicious Non-Browser Network Communication With Google API

sigma MEDIUM SigmaHQ
T1102
imNetworkSession
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-05T23:00:00Z · Confidence: low

Hunt Hypothesis

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

Detection Rule

Sigma (Original)

title: Suspicious Non-Browser Network Communication With Google API
id: 7e9cf7b6-e827-11ed-a05b-0242ac120003
status: experimental
description: |
    Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
references:
    - https://github.com/looCiprian/GC2-sheet
    - https://youtu.be/n2dFlSaBBKo
    - https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf
    - https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/
    - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
author: Gavin Knapp
date: 2023-05-01
modified: 2025-02-22
tags:
    - attack.command-and-control
    - attack.t1102
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            # Note: Please add additional google API related domains that might be abused.
            - 'drive.googleapis.com'
            - 'oauth2.googleapis.com'
            - 'sheets.googleapis.com'
            - 'www.googleapis.com'
    filter_optional_brave:
        Image|endswith: '\brave.exe'
    filter_optional_chrome:
        Image|endswith:
            - ':\Program Files\Google\Chrome\Application\chrome.exe'
            - ':\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_google_drive:
        Image|contains: ':\Program Files\Google\Drive File Stream\'
        Image|endswith: '\GoogleDriveFS.exe'
    filter_optional_firefox:
        Image|endswith:
            - ':\Program Files\Mozilla Firefox\firefox.exe'
            - ':\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image|endswith:
            - ':\Program Files (x86)\Internet Explorer\iexplore.exe'
            - ':\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_optional_edge_1:
        - Image|contains: ':\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith:
              - ':\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - ':\Program Files\Microsoft\Edge\Application\msedge.exe'
              - '\WindowsApps\MicrosoftEdge.exe'
    filter_optional_edge_2:
        Image|contains:
            - ':\Program Files (x86)\Microsoft\EdgeCore\'
            - ':\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_opera:
        Image|endswith: '\opera.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|endswith: '\whale.exe'
    filter_optional_googleupdate:
        Image|endswith: '\GoogleUpdate.exe'
    filter_optional_outlook_exe:
        Image|endswith: '\outlook.exe'
    filter_main_null:
        Image: null
    filter_main_empty:
        Image: ''
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.
level: medium

KQL (Azure Sentinel)

imNetworkSession
| where (DstHostname contains "drive.googleapis.com" or DstHostname contains "oauth2.googleapis.com" or DstHostname contains "sheets.googleapis.com" or DstHostname contains "www.googleapis.com") and (not(((isnull(SrcProcessName) or isnull(DstProcessName)) or (SrcProcessName =~ "" or DstProcessName =~ "")))) and (not(((SrcProcessName endswith "\\brave.exe" or DstProcessName endswith "\\brave.exe") or ((SrcProcessName endswith ":\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or SrcProcessName endswith ":\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") or (DstProcessName endswith ":\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or DstProcessName endswith ":\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or ((SrcProcessName contains ":\\Program Files\\Google\\Drive File Stream\\" or DstProcessName contains ":\\Program Files\\Google\\Drive File Stream\\") and (SrcProcessName endswith "\\GoogleDriveFS.exe" or DstProcessName endswith "\\GoogleDriveFS.exe")) or ((SrcProcessName endswith ":\\Program Files\\Mozilla Firefox\\firefox.exe" or SrcProcessName endswith ":\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") or (DstProcessName endswith ":\\Program Files\\Mozilla Firefox\\firefox.exe" or DstProcessName endswith ":\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or ((SrcProcessName endswith ":\\Program Files (x86)\\Internet Explorer\\iexplore.exe" or SrcProcessName endswith ":\\Program Files\\Internet Explorer\\iexplore.exe") or (DstProcessName endswith ":\\Program Files (x86)\\Internet Explorer\\iexplore.exe" or DstProcessName endswith ":\\Program Files\\Internet Explorer\\iexplore.exe")) or (SrcProcessName endswith "\\maxthon.exe" or DstProcessName endswith "\\maxthon.exe") or ((SrcProcessName contains ":\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or DstProcessName contains ":\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\") or ((SrcProcessName endswith ":\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" or SrcProcessName endswith ":\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe" or SrcProcessName endswith "\\WindowsApps\\MicrosoftEdge.exe") or (DstProcessName endswith ":\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" or DstProcessName endswith ":\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe" or DstProcessName endswith "\\WindowsApps\\MicrosoftEdge.exe"))) or (((SrcProcessName contains ":\\Program Files (x86)\\Microsoft\\EdgeCore\\" or SrcProcessName contains ":\\Program Files\\Microsoft\\EdgeCore\\") or (DstProcessName contains ":\\Program Files (x86)\\Microsoft\\EdgeCore\\" or DstProcessName contains ":\\Program Files\\Microsoft\\EdgeCore\\")) and ((SrcProcessName endswith "\\msedge.exe" or SrcProcessName endswith "\\msedgewebview2.exe") or (DstProcessName endswith "\\msedge.exe" or DstProcessName endswith "\\msedgewebview2.exe"))) or (SrcProcessName endswith "\\opera.exe" or DstProcessName endswith "\\opera.exe") or (SrcProcessName endswith "\\safari.exe" or DstProcessName endswith "\\safari.exe") or (SrcProcessName endswith "\\seamonkey.exe" or DstProcessName endswith "\\seamonkey.exe") or (SrcProcessName endswith "\\vivaldi.exe" or DstProcessName endswith "\\vivaldi.exe") or (SrcProcessName endswith "\\whale.exe" or DstProcessName endswith "\\whale.exe") or (SrcProcessName endswith "\\GoogleUpdate.exe" or DstProcessName endswith "\\GoogleUpdate.exe") or (SrcProcessName endswith "\\outlook.exe" or DstProcessName endswith "\\outlook.exe"))))

Required Data Sources

Sentinel TableNotes
imNetworkSessionEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml