Rule Documentation: Suspicious Non-Browser Access to Google APIs by Rare Processes on Windows
Google Sheets C2query
Query
DeviceNetworkEvents
| where RemoteUrl has_any( @"drive.googleapis.com", @"oauth2.googleapis.com", "sheets.googleapis.com", "www.googleapis.com")
| where InitiatingProcessFileName !in ("chrome.exe", "firefox.exe", "msedge.exe", "edge.exe", "googledrivefs.exe")
| invoke FileProfile(InitiatingProcessSHA1)
| where GlobalPrevalence < 100
| join kind=inner (
DeviceInfo
| project DeviceId, OSPlatform
) on DeviceId
| where OSPlatform contains "windows"About this query
Explanation
This query is designed to detect suspicious activities on Windows devices where unusual processes, rather than common web browsers or the Google Drive File Stream application, are accessing Google API endpoints. Here's a simplified breakdown of what the query does:
-
Targeted Google API Endpoints: It looks for network events where the destination is one of the key Google API endpoints, such as Google Drive, OAuth2, Sheets, or general Google APIs.
-
Exclusion of Common Applications: It filters out events initiated by well-known web browsers (like Chrome, Firefox, Edge) and the legitimate Google Drive File Stream application, focusing instead on less common processes.
-
Rare Process Identification: It uses file profiling to identify processes that are not commonly seen globally (less than 100 occurrences), which could indicate a custom or malicious application.
-
Windows Device Verification: It ensures that the detected activity is happening on a Windows device by checking the operating system information.
The query is tagged with relevant categories such as network connection, Google API access, and suspicious activity, indicating its focus on identifying potential data exfiltration or other malicious actions. However, it may produce false positives, and further refinement might be necessary to improve its accuracy.
Details

Ali Hussein
Released: February 25, 2025
Tables
Keywords
Operators