Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Suspicious Non-Browser Network Communication With Google API
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Suspicious Non-Browser Network Communication With Google API
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Suspicious Non-Browser Network Communication With Google API
id: 7e9cf7b6-e827-11ed-a05b-0242ac120003
status: experimental
description: |
Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
references:
- https://github.com/looCiprian/GC2-sheet
- https://youtu.be/n2dFlSaBBKo
- https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf
- https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/
- https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
author: Gavin Knapp
date: 2023-05-01
modified: 2025-02-22
tags:
- attack.command-and-control
- attack.t1102
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains:
# Note: Please add additional google API related domains that might be abused.
- 'drive.googleapis.com'
- 'oauth2.googleapis.com'
- 'sheets.googleapis.com'
- 'www.googleapis.com'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image|endswith:
- ':\Program Files\Google\Chrome\Application\chrome.exe'
- ':\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_google_drive:
Image|contains: ':\Program Files\Google\Drive File Stream\'
Image|endswith: '\GoogleDriveFS.exe'
filter_optional_firefox:
Image|endswith:
- ':\Program Files\Mozilla Firefox\firefox.exe'
- ':\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image|endswith:
- ':\Program Files (x86)\Internet Explorer\iexplore.exe'
- ':\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|contains: ':\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith:
- ':\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- ':\Program Files\Microsoft\Edge\Application\msedge.exe'
- '\WindowsApps\MicrosoftEdge.exe'
filter_optional_edge_2:
Image|contains:
- ':\Program Files (x86)\Microsoft\EdgeCore\'
- ':\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
filter_optional_googleupdate:
Image|endswith: '\GoogleUpdate.exe'
filter_optional_outlook_exe:
Image|endswith: '\outlook.exe'
filter_main_null:
Image: null
filter_main_empty:
Image: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.
level: medium
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml