← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potentially Suspicious Network Connection To Notion API

Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"

Quality
0
FP risk
Forks
0
Views
0
ATT&CK techniques
T1102
Rule sourcerules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml
title: Potentially Suspicious Network Connection To Notion API
id: 7e9cf7b6-e827-11ed-a05b-15959c120003
status: test
description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
references:
    - https://github.com/mttaggart/OffensiveNotion
    - https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332
author: Gavin Knapp
date: 2023-05-03
tags:
    - attack.command-and-control
    - attack.t1102
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'api.notion.com'
    filter_main_notion:
        Image|endswith: '\AppData\Local\Programs\Notion\Notion.exe'
    filter_main_brave:
        Image|endswith: '\brave.exe'
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_main_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_main_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_main_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_main_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_opera:
        Image|endswith: '\opera.exe'
    filter_main_safari:
        Image|endswith: '\safari.exe'
    filter_main_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_main_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_main_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.
level: low