Understanding your environment with the applications used and allowed will enhances the effectiveness of your hunt here.
List of C2 projects leveraging legitimate APIs like Telegram, Twitter, Gmail, Slack, Discord, Google Sheets/Drive, Github, YouTube, Pastebin, Reddit, Zoom, Notion, Dropbox, Instagram and even Virustotal APIs are used by C2’s.
Monitor API calls to these services, as any API service can be exploited as a C2, Knowing your environment is key !
The list will be updated frequently on Github: https://github.com/mthcht/Purpleteam/blob/main/Detection/Threat%20Hunting/generic/C2_abusing_API_services.md
Telegram API usage
C2 projects:
- https://github.com/3ct0s/disctopia-c2
- https://github.com/timebotdon/telegram-c2agent
- https://github.com/SpenserCai/DRat
- https://github.com/kensh1ro/NativeTeleBackdoor
- https://github.com/Lemonada/teleBrat
- https://github.com/woj-ciech/Social-media-c2
- https://github.com/itaymigdal/Poshito
API detection:
- Requests to
https://api.telegram.org/bot*
Twitter API usage
C2 projects:
- https://github.com/slaeryan/LARRYCHATTER
- https://github.com/PaulSec/twittor
- https://github.com/woj-ciech/Social-media-c2
API detection:
- Requests to
https://api.twitter.com/1*
,https://api.twitter.com/2*
,https://upload.twitter.com/
,https://api.twitter.com/oauth*
Gmail API usage
C2 projects:
- https://github.com/byt3bl33d3r/gcat
- https://github.com/machine1337/gmailc2
- https://github.com/reveng007/SharpGmailC2
- https://github.com/rschwass/PSGSHELL
- https://github.com/shanefarris/GmailBackdoor
API detection:
- Requests to
https://www.googleapis.com/gmail/*
,https://www.googleapis.com/auth/*
Slack API usage
C2 projects:
- https://github.com/Coalfire-Research/Slackor
- https://github.com/bkup/SlackShell
- https://github.com/praetorian-inc/slack-c2bot
- https://github.com/j3ssie/c2s
- https://github.com/herwonowr/slackhell
- https://github.com/Yihsiwei/slack-c2-golang
API detection:
- Requests to
https://slack.com/api/*
Discord API usage
C2 projects:
- https://github.com/MythicC2Profiles/discord
- https://github.com/3ct0s/disctopia-c2
- https://github.com/emmaunel/DiscordGo
- https://github.com/crawl3r/DaaC2
- https://github.com/th3r4ven/Bifrost
- https://github.com/kensh1ro/Willie-C2
- https://github.com/codeuk/discord-rat
- https://github.com/Vczz0/Cerberos-C2
- https://github.com/3NailsInfoSec/DCVC2
- https://github.com/hoaan1995/ZER0BOT
- https://github.com/Jeff53978/Python-Trojan
API detection:
- Requests to
https://discord.com/api/*
Google Sheet/Google Drive API usage
C2 projects:
- https://github.com/looCiprian/GC2-sheet
- https://github.com/a-rey/google_RAT
- https://github.com/SpiderLabs/DoHC2
API detection:
Google Calendar
C2 projects:
API detection:
- Requests to
https://www.googleapis.com/auth/calendar*
Github API usage
C2 projects:
- https://github.com/3ct0s/disctopia-c2
- https://github.com/TheD1rkMtr/GithubC2
- https://github.com/maldevel/canisrufus
API detection:
- Requests to
https://api.github.com/*
Youtube API usage
C2 projects:
API detection:
- Requests to
https://www.googleapis.com/youtube/*
Pastebin API usage
C2 projects:
API detection:
Reddit API usage
C2 projects:
API detection:
- Requests to
https://www.reddit.com/api/*
Dropbox API usage
C2 projects:
API detection:
- Requests to
https://api.dropboxapi.com/*
Instagram API usage
C2 projects:
API detection:
Zoom API usage
C2 projects:
API detection:
- Requests to
https://api.zoom.us/v2/chat/users/me/*
Virustotal API usage
C2 projects:
- https://github.com/RATandC2/VirusTotalC2
- https://github.com/D1rkMtr/VirusTotalC2 (the repo does not exist anymore and the github username changed from D1rkMtr to TheD1rkMtr)
API detection:
- Requests to
https://www.virustotal.com/api/v3/*/comments
,https://www.virustotal.com/api/v2/*/comments
Notion API usage
C2 projects:
API detection:
- Requests to
https://api.notion.com*
Zulip API usage
C2 projects:
API detection:
- Requests to:
https://*.zulipchat.com/api/v1/messages*
https://*.zulipchat.com/api/v1/user_uploads*
https://*.zulipchat.com/api/v1/users/me/subscriptions*
https://*.zulipchat.com/api/v1/get_stream_id?stream=*
Matrix
C2 projects:
API detection:
- POST Requests to:
https://matrix.org/_matrix/client/r0/rooms/*/send/m.room.message
- GET Requests to:
https://matrix.org/_matrix/client/r0/rooms/*/messages