C2 Hiding in plain sight

mthcht
2 min readAug 7, 2023

--

Understanding your environment with the applications used and allowed will enhances the effectiveness of your hunt here.

List of C2 projects leveraging legitimate APIs like Telegram, Twitter, Gmail, Slack, Discord, Google Sheets/Drive, Github, YouTube, Pastebin, Reddit, Zoom, Notion, Dropbox, Instagram and even Virustotal APIs are used by C2’s.

Monitor API calls to these services, as any API service can be exploited as a C2, Knowing your environment is key !

The list will be updated frequently on Github: https://github.com/mthcht/Purpleteam/blob/main/Detection/Threat%20Hunting/generic/C2_abusing_API_services.md

Telegram API usage

C2 projects:

API detection:

Twitter API usage

C2 projects:

API detection:

Gmail API usage

C2 projects:

API detection:

Slack API usage

C2 projects:

API detection:

Discord API usage

C2 projects:

API detection:

Google Sheet/Google Drive API usage

C2 projects:

API detection:

Google Calendar

C2 projects:

API detection:

Github API usage

C2 projects:

API detection:

Youtube API usage

C2 projects:

API detection:

Pastebin API usage

C2 projects:

API detection:

Reddit API usage

C2 projects:

API detection:

Dropbox API usage

C2 projects:

API detection:

Instagram API usage

C2 projects:

API detection:

Zoom API usage

C2 projects:

API detection:

Virustotal API usage

C2 projects:

API detection:

Notion API usage

C2 projects:

API detection:

Zulip API usage

C2 projects:

API detection:

Matrix

C2 projects:

API detection:

  • POST Requests to:
  • https://matrix.org/_matrix/client/r0/rooms/*/send/m.room.message
  • GET Requests to:
  • https://matrix.org/_matrix/client/r0/rooms/*/messages

--

--

mthcht
mthcht

Written by mthcht

Threat Hunting - DFIR - Detection Engineering

No responses yet