c2_data.json

{
  "telegram": {
    "descriptionUrl": "doc/telegram.md",
    "c2Projects": [
      "https://github.com/3ct0s/disctopia-c2",
      "https://github.com/timebotdon/telegram-c2agent",
      "https://github.com/SpenserCai/DRat",
      "https://github.com/kensh1ro/NativeTeleBackdoor",
      "https://github.com/Lemonada/teleBrat",
      "https://github.com/woj-ciech/Social-media-c2",
      "https://github.com/machine1337/TelegramRAT",
      "https://github.com/1N73LL1G3NC3x/Nightmangle",
      "https://github.com/itaymigdal/Poshito",
      "https://github.com/govindasamyarun/c2-cloud",
      "https://github.com/beigeworm/PoshGram-C2"
    ],
    "detection": [
      "url: https://api.telegram.org/bot*",
      "POST - url: https://api.telegram.org/bot*/sendMessage",
      "POST - url: https://api.telegram.org/bot*/sendDocument",
      "GET - url: https://api.telegram.org/bot*/getUpdates",
      "POST - url: https://api.telegram.org/bot*/sendPhoto",
      "GET - url: https://api.telegram.org/bot*/getMe",
      "url: https://t.me/s/*",
      "detection strategy: Non-browser process (python.exe, powershell.exe, curl.exe, cmd.exe, or unknown binary) making HTTPS requests to api.telegram.org",
      "detection strategy: Outbound connections to api.telegram.org from processes that are not telegram.exe or its legitimate subprocesses",
      "detection strategy: Requests to api.telegram.org coupled with prior API calls to IP lookup services (ipify.org, ip-api.com, ifconfig.me) \u2014 common initial C2 beacon pattern",
      "detection strategy: Process copying itself to C:\\Windows\\Temp\\svchost.exe before initiating connections to api.telegram.org (Golang backdoor pattern)",
      "detection strategy: Periodic polling pattern with GET requests to /bot*/getUpdates at regular intervals indicating command polling",
      "detection strategy: POST requests to /bot*/sendDocument containing base64-encoded or archived file payloads (data exfiltration)",
      "detection strategy: Command-line arguments containing api.telegram.org or bot token strings matching pattern [0-9]+:[A-Za-z0-9_-]{35}",
      "detection strategy: Hard-coded Telegram bot tokens or chat IDs embedded in binary strings or script files on disk",
      "detection strategy: Persistent long-duration HTTPS sessions to Telegram IP ranges (149.154.160.0/20, 91.108.4.0/22) from non-Telegram processes",
      "[Lazarus/NineRAT] Telegram Bot API used as C2 channel exploiting Log4Shell for initial access",
      "[GRAMDOOR/UNC3313] url: https://api.telegram.org/bot2003026094:*/sendMessage \u2014 Iranian APT MuddyWater campaign",
      "[Lumma Stealer] Retrieves C2 addresses from Telegram channel names, decrypts using ROT13/ROT15",
      "[DeerStealer] Uses curl.exe POST to /sendMessage endpoint with victim notification strings",
      "[Raven Stealer] Exfiltrates archived credential files via /sendDocument endpoint",
      "detection blog: https://blog.nviso.eu/2025/12/16/the-detection-response-chronicles-exploring-telegram-abuse/",
      "detection blog: https://www.netskope.com/blog/telegram-abused-as-c2-channel-for-new-golang-backdoor",
      "detection blog: https://www.activecountermeasures.com/threat-hunting-a-telegram-c2-channel/"
    ]
  },
  "FireBase": {
    "descriptionUrl": "doc/firebase.md",
    "c2Projects": [
      "https://github.com/s0ld13rr/firec2"
    ],
    "detection": [
      "GET & PUT & PATCH - url: https://*.firebaseio.com/*.json",
      "PUT - url: https://*.firebaseio.com/agents/*/meta.json",
      "GET - url: https://*.firebaseio.com/tasks/*/.json",
      "PUT - url: https://*.firebaseio.com/results/*/.json",
      "PUT - url: https://*.firebaseio.com/files/*/.json",
      "GET - url: https://*.firebaseio.com/uploads/*/.json",
      "PUT - url: https://*.firebaseio.com/upload_results/*/.json",
      "PATCH - url: https://*.firebaseio.com/agents/*/heartbeat.json",
      "PATCH - url: https://*.firebaseio.com/tasks/*/*.json",
      "url: https://*-default-rtdb.firebaseio.com/*",
      "url: https://s-usc1b-nss-*.firebaseio.com/*",
      "[firec2] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
      "detection strategy: Non-browser process (python.exe, powershell.exe, cmd.exe, or unknown binary) making HTTPS requests to *.firebaseio.com",
      "detection strategy: Periodic polling pattern (10-30s intervals) with GET requests to a firebaseio.com path ending in .json",
      "detection strategy: PUT requests to firebaseio.com containing large base64-encoded payloads in JSON body (file exfiltration via database entries)",
      "detection strategy: PATCH requests to a /heartbeat.json path at regular intervals (~60s) indicating agent beaconing",
      "detection strategy: Outbound WebSocket upgrade requests (Upgrade: websocket header) to *.firebaseio.com from non-browser processes",
      "detection strategy: Process executing shell commands (subprocess with shell=True) shortly after receiving data from firebaseio.com endpoints",
      "detection strategy: Base64-encoded firebaseio.com URLs stored in binary or script files on disk (agent configuration artifact)",
      "detection blog: https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/"
    ]
  },
  "CounterStrike 1.6": {
    "descriptionUrl": "doc/counterstrike.md",
    "c2Projects": [
      "https://github.com/eversinc33/1.6-C2"
    ],
    "detection": [
      "Unusual outbound UDP traffic on port 27015",
      "Source RCON protocol documentation: https://developer.valvesoftware.com/wiki/Source_RCON_Protocol",
      "detection strategy: Outbound UDP traffic on port 27015 from non-game processes or from servers where CS 1.6 is not installed",
      "detection strategy: Source RCON protocol commands embedded in game server communication from unexpected source IPs"
    ]
  },
  "cloudflare": {
    "descriptionUrl": "doc/cloudflare.md",
    "c2Projects": [
      "https://github.com/ChoiSG/CloudflarePagesRedirector",
      "https://github.com/som3canadian/Cloudflare-Redirector",
      "https://github.com/nickvourd/SkyFall-Pack"
    ],
    "detection": [
      "Cloudflare Tunnels: *.cfargotunnel.com",
      "Cloudflare Workers and Apps: https://*.workers.dev",
      "Cloudflare Pages: https://*.pages.dev",
      "Cloudflare DoH: https://cloudflare-dns.com/dns-query",
      "blog: https://labs.jumpsec.com/putting-the-c2-in-c2loudflare/",
      "comment: Keep an eye on DNS queries for subdomains of cfargotunnel.com and workers.dev that don't align with normal business operations",
      "[CloudflarePagesRedirector] In this project the default user-agents strings ('ligoloua' & 'sliverua') serve as identifiers for implants to communicate with their respective backends",
      "detection strategy: cloudflared.exe or cloudflared binary running on hosts where Cloudflare Tunnel was not sanctioned",
      "detection strategy: DNS queries for *.cfargotunnel.com subdomains that don't align with normal business operations",
      "detection strategy: Outbound connections to *.workers.dev or *.pages.dev from non-browser processes"
    ]
  },
  "Strava": {
    "descriptionUrl": "doc/strava.md",
    "c2Projects": [
      "https://github.com/BongoKnight/ConceptC2"
    ],
    "detection": [
      "url: http://www.strava.com/oauth/authorize?client_id=*",
      "url: https://www.strava.com/oauth/token",
      "url: POST & GET https://www.strava.com/api/v3/activities",
      "url: PUT & GET https://www.strava.com/api/v3/activities/*",
      "detection strategy: Non-browser process making OAuth and API calls to strava.com/api/v3/ endpoints",
      "detection strategy: Strava activity descriptions or titles containing encoded command/response data"
    ]
  },
  "Google Translate": {
    "descriptionUrl": "doc/google_translate.md",
    "c2Projects": [
      "https://github.com/UnkL4b/BabyShark",
      "https://github.com/mthbernardes/GTRS"
    ],
    "detection": [
      "[BabyShark] User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36",
      "[BabyShark] url: */momyshark?key=*",
      "[BabyShark] file created: /tmp/input",
      "[BabyShark] file created: /tmp/output",
      "[BabyShark] detection blog: https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845",
      "url: https://translate.google.com/translate?&anno=2&u=*",
      "url: https://*.translate.goog",
      "High-frequency polling of a specific translated site",
      "Base64 payloads in translated sites url",
      "detection strategy: Non-browser process making requests to translate.google.com or *.translate.goog domains",
      "detection strategy: Google Translate used as proxy to access attacker-controlled pages \u2014 high-frequency polling of same translated URL"
    ]
  },
  "mastodon": {
    "descriptionUrl": "doc/mastodon.md",
    "c2Projects": [
      "https://github.com/g0h4n/REC2"
    ],
    "detection": [
      "GET url: https://mastodon.be/username_fzihfzuhfuoz/109743339821428173",
      "GET url: https://mastodon.be/api/v1/statuses/*/context",
      "POST url: https://mastodon.be/api/v1/statuses",
      "detection strategy: Non-browser process making API calls to a Mastodon instance /api/v1/statuses endpoint",
      "detection strategy: Periodic polling of specific Mastodon status threads at regular intervals from automated processes",
      "detection strategy: Mastodon access tokens stored in scripts or binary strings on disk"
    ]
  },
  "whatsapp": {
    "descriptionUrl": "doc/whatsapp.md",
    "c2Projects": [
      "https://github.com/KarimJedda/whatsappcli"
    ],
    "detection": [
      "HTTP - POST url: https://v.whatsapp.net/v2/register",
      "HTTP - POST url: https://v.whatsapp.net/v2/exist",
      "XMPP - connection and messaging routing: c.whatsapp.net - s.whatsapp.net - e1.whatsapp.net - e2.whatsapp.net - e3.whatsapp.net - e4.whatsapp.net - e5.whatsapp.net - e6.whatsapp.net - e7.whatsapp.net - e8.whatsapp.net - e9.whatsapp.net - e10.whatsapp.net - e11.whatsapp.net - e12.whatsapp.net - e13.whatsapp.net - e14.whatsapp.net - e15.whatsapp.net - e16.whatsapp.net",
      "XMPP - Media server for image/file transfers: mms.whatsapp.net",
      "Detection logic: Unusual XMPP traffic to c.whatsapp.net and eX.whatsapp.net from a non-mobile device",
      "Detection logic: Unusual volume of inbound/outbound XMPP traffic",
      "Detection logic: Excessive outbound media uploads to mms.whatsapp.net",
      "Detection logic: Presence of Yowsup or whatsapp-web.js automation scripts on a system"
    ]
  },
  "Microsoft Printer": {
    "descriptionUrl": "doc/microsoft_printer.md",
    "c2Projects": [
      "https://github.com/Diverto/IPPrintC2"
    ],
    "detection": [
      "detection strategy: unusual printer jobs name - base64 strings and long fragmented document names",
      "detection strategy: unusual printer creation and jobs in Microsoft-Windows-PrintService/Operational logs",
      "detection strategy: Microsoft-Windows-PrintService/Operational Event ID 300 for a printer with an external IP",
      "detection strategy: repeated or scheduled polling of /printers/ endpoints from client machines",
      "detection strategy: unusual process spawned from spoolsv.exe such as cmd.exe, powershell.exe, or wscript.exe",
      "detection patterns: https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/IPPrintC2.csv",
      "detection strategy: IPP (Internet Printing Protocol) traffic to external IP addresses on port 631 from non-print-related processes",
      "detection strategy: Print job document names containing base64-encoded strings or unusually long fragmented names"
    ]
  },
  "Microsoft Azure Application Proxy": {
    "descriptionUrl": "doc/azure_application_proxy.md",
    "c2Projects": [
      "https://github.com/xpn/AppProxyC2"
    ],
    "detection": [
      "url: https://*.msappproxy.net/*",
      "url: https://login.microsoftonline.com/common/oauth2/authorize?resource=https%3A%2F%2Fproxy.cloudwebappproxy.net%2Fregisterapp&client_id=*",
      "[AppProxyC2] User-agent: ApplicationProxyConnector/1.5.1975.0",
      "[AppProxyC2] User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0"
    ]
  },
  "asana": {
    "descriptionUrl": "doc/asana.md",
    "c2Projects": [
      "https://github.com/WithSecureLabs/C3/blob/master/Src/Common/FSecure/AsanaApi/AsanaApi.cpp"
    ],
    "detection": [
      "url: https://app.asana.com/api/1.0/projects/*",
      "url: https://app.asana.com/api/1.0/tasks/*",
      "url: https://app.asana.com/api/1.0/attachments/*",
      "url: https://app.asana.com/api/1.0/sections/",
      "detection strategy: Non-browser process making API calls to app.asana.com/api/1.0/ endpoints",
      "detection strategy: Periodic polling of Asana task lists at regular intervals indicating C2 command polling",
      "detection strategy: Asana Personal Access Tokens stored in scripts or configuration files on disk"
    ]
  },
  "x": {
    "descriptionUrl": "doc/x.md",
    "c2Projects": [
      "https://github.com/lolc2/XC2"
    ],
    "detection": [
      "url: https://api.x.com/2/*",
      "url: https://api.x.com/2/tweets",
      "url: https://api.x.com/2/dm_conversations/with/*/messages",
      "url: https://api.x.com/2/users/*/tweets",
      "url: https://api.x.com/2/dm_conversations",
      "url: https://api.x.com/2/users/me",
      "url: https://api.x.com/2/lists",
      "url: https://api.x.com/2/tweets/*",
      "detection strategy: High-frequency GETs to /users/<id>/tweets or /dm_conversations",
      "detection strategy: POSTs to /tweets or /dm_conversations/with/<id>/messages",
      "detection strategy: PATCH requests to /users/me with structured bio updates."
    ]
  },
  "onedrive": {
    "descriptionUrl": "doc/onedrive.md",
    "c2Projects": [
      "https://github.com/WithSecureLabs/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/OneDrive365RestFile.cpp",
      "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/listeners/onedrive.py",
      "https://github.com/grantok/Excel-C2",
      "https://github.com/RedSiege/GraphStrike"
    ],
    "detection": [
      "url: https://graph.microsoft.com/v1.0/me/drive/root:/*",
      "url: https://graph.microsoft.com/v1.0/users/*/drive/root:/*",
      "url: https://graph.microsoft.com/v1.0/me/drive/items/*",
      "url: https://graph.microsoft.com/v1.0/sites/*/drives",
      "url: https://graph.microsoft.com/v1.0/me/drive/root/children",
      "url: https://api.onedrive.com/v1.0/shares/*/driveitem/content",
      "url: https://login.windows.net/organizations/oauth2/v2.0/token",
      "[empire] User-agent: Microsoft SkyDriveSync 17.005.0107.0008 ship; Windows NT 10.0 (16299)",
      "[Excel-C2] User-agent: GoLang Client",
      "detection strategy: Non-browser process making Microsoft Graph API calls to /me/drive/ endpoints \u2014 especially from non-Office processes",
      "detection strategy: Periodic file reads from a specific OneDrive folder at regular intervals indicating C2 task polling",
      "detection strategy: Large or encoded file uploads to OneDrive via Graph API from non-Office applications (data exfiltration)",
      "detection strategy: OAuth tokens for Microsoft Graph (scope Files.ReadWrite) stored in scripts or configuration files on disk"
    ]
  },
  "Microsoft Tasks": {
    "descriptionUrl": "doc/tasks.md",
    "c2Projects": [
      "https://github.com/WithSecureLabs/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/Outlook365RestTask.cpp"
    ],
    "detection": [
      "url: https://outlook.office.com/api/v2.0/me/tasks/*",
      "url: https://outlook.office.com/api/v2.0/me/tasks",
      "url: https://login.windows.net/organizations/oauth2/v2.0/token/*",
      "detection strategy: Non-browser process making API calls to outlook.office.com/api/v2.0/me/tasks from non-Office applications",
      "detection strategy: Task titles or bodies containing encoded or structured command strings",
      "detection strategy: Periodic polling of task endpoints at regular intervals from automated processes"
    ]
  },
  "jira": {
    "descriptionUrl": "doc/jira.md",
    "c2Projects": [
      "https://github.com/WithSecureLabs/C3/blob/master/Src/Common/FSecure/Atlassian/JiraApi.cpp"
    ],
    "detection": [
      "url: https://*.atlassian.net/rest/api/2/issue/*",
      "url: https://*.atlassian.net/rest/api/2/search?jql=project=*",
      "url: https://*.atlassian.net/rest/api/2/attachment/*",
      "detection strategy: Non-browser process making API calls to *.atlassian.net/rest/api/2/ endpoints",
      "detection strategy: Periodic polling of Jira issue comments at regular intervals indicating C2 command polling",
      "detection strategy: Jira API tokens stored in scripts or configuration files on disk"
    ]
  },
  "twitter": {
    "descriptionUrl": "doc/twitter.md",
    "c2Projects": [
      "https://github.com/ZeroDollarSecurity/LarryChatter",
      "https://github.com/PaulSec/twittor",
      "https://github.com/woj-ciech/Social-media-c2"
    ],
    "detection": [
      "url: https://api.twitter.com/1*",
      "url: https://api.twitter.com/2*",
      "url: https://upload.twitter.com/",
      "url: https://api.twitter.com/oauth*",
      "detection strategy: Non-browser process making API calls to api.twitter.com from non-Twitter applications",
      "detection strategy: Twitter API Bearer tokens or OAuth credentials stored in scripts or binary strings on disk",
      "detection strategy: Periodic polling of specific tweet threads or DMs at regular intervals"
    ]
  },
  "gmail": {
    "descriptionUrl": "doc/gmail.md",
    "c2Projects": [
      "https://github.com/byt3bl33d3r/gcat",
      "https://github.com/machine1337/gmailc2",
      "https://github.com/reveng007/SharpGmailC2",
      "https://github.com/rschwass/PSGSHELL",
      "https://github.com/shanefarris/GmailBackdoor"
    ],
    "detection": [
      "url: https://www.googleapis.com/gmail/*",
      "url: https://www.googleapis.com/auth/*",
      "url: https://gmail.googleapis.com/gmail/v1/users/me/messages",
      "url: https://gmail.googleapis.com/gmail/v1/users/me/drafts",
      "POST - url: https://gmail.googleapis.com/gmail/v1/users/me/messages/send",
      "GET - url: https://gmail.googleapis.com/gmail/v1/users/me/messages?q=*",
      "url: https://accounts.google.com/o/oauth2/token",
      "url: https://oauth2.googleapis.com/token",
      "url: https://imap.gmail.com:993",
      "url: https://smtp.gmail.com:465",
      "detection strategy: Anomalous increase in DNS queries or connections to imap.gmail.com or smtp.gmail.com from non-email-client processes",
      "detection strategy: Non-browser process authenticating to Gmail API via OAuth tokens and reading/sending messages programmatically",
      "detection strategy: Draft emails used as a dead-drop for C2 commands \u2014 agent polls drafts, reads instructions, deletes after execution",
      "detection strategy: Gmail API queries filtering for specific labels or subjects used as command markers",
      "detection strategy: Google OAuth refresh tokens or Gmail App Passwords stored in scripts or configuration files on disk",
      "[gcat] Uses Gmail drafts as dead-drop: operator writes command in draft, agent reads and executes, writes output as new draft",
      "[SharpGmailC2] .NET-based agent polls Gmail inbox for commands, sends results via email"
    ]
  },
  "slack": {
    "descriptionUrl": "doc/slack.md",
    "c2Projects": [
      "https://github.com/Coalfire-Research/Slackor",
      "https://github.com/bkup/SlackShell",
      "https://github.com/praetorian-inc/slack-c2bot",
      "https://github.com/j3ssie/c2s",
      "https://github.com/herwonowr/slackhell",
      "https://github.com/Yihsiwei/slack-c2-golang",
      "https://github.com/MythicC2Profiles/slack",
      "https://github.com/Cainor/Shlack-C2",
      "https://github.com/WithSecureLabs/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/Slack.cpp",
      "https://github.com/mthcht/StringHunter-triage/blob/main/_results_PeriscopeC2_/Periscope-main.7z"
    ],
    "detection": [
      "url: https://slack.com/api/*",
      "url: https://api.slack.com/apps/*",
      "url: https://slack.com/api/chat.postMessage",
      "url: https://slack.com/api/conversations.list?exclude_archived=true",
      "url: https://slack.com/api/conversations.create",
      "url: https://slack.com/api/conversations.replies?channel=*",
      "url: https://slack.com/api/conversations.history?limit=200&channel=*",
      "url: https://slack.com/api/chat.update",
      "url: https://slack.com/api/chat.postMessage",
      "url: https://slack.com/api/chat.delete",
      "url: https://slack.com/api/files.upload?*&channels=*&thread_ts=*",
      "detection strategy: Non-browser process making API calls to slack.com/api/ \u2014 especially from servers where Slack desktop is not installed",
      "detection strategy: Slack Bot OAuth tokens (xoxb-*) or User tokens (xoxp-*) stored in scripts, environment variables, or binary strings on disk",
      "detection strategy: Periodic polling of conversations.history or conversations.replies at regular intervals indicating C2 command polling",
      "detection strategy: File uploads via files.upload API from non-Slack processes containing encoded or archived payloads"
    ]
  },
  "cisco webex": {
    "descriptionUrl": "doc/webex.md",
    "c2Projects": [
      "https://github.com/WithSecureLabs/C3/compare/master...tvgdb:C3:cisco-webex-teams-channel"
    ],
    "detection": [
      "url: https://*/v1/access_token",
      "url: https://*/v1/messages",
      "url: https://*/v1/messages?max=*&roomId=*",
      "url: https://*/v1/messages/*",
      "url: https://*/v1/rooms",
      "detection strategy: Non-Webex process making API calls to webexapis.com/v1/ endpoints",
      "detection strategy: Periodic polling of /v1/messages at regular intervals from non-browser processes",
      "detection strategy: Webex Bot access tokens stored in scripts or binary strings on disk"
    ]
  },
  "DuckDuckGO": {
    "descriptionUrl": "doc/duckduckgo.md",
    "c2Projects": [
      "https://github.com/nopcorn/DuckDuckC2"
    ],
    "detection": [
      "url: https://proxy.duckduckgo.com/iu/?u=",
      "url: https://*.pythonanywhere.com/image.jpg?cmd=*",
      "detection strategy: Non-browser process making requests to proxy.duckduckgo.com/iu/ with command parameters embedded in URL",
      "detection strategy: DuckDuckGo image proxy requests containing attacker-controlled destination URLs in the u= parameter"
    ]
  },
  "Microsoft Graph": {
    "descriptionUrl": "doc/graphapi.md",
    "c2Projects": [
      "https://github.com/RedSiege/GraphStrike",
      "https://github.com/grantok/Excel-C2",
      "https://github.com/boku7/azureOutlookC2",
      "https://github.com/NTT-Security-Japan/pac2",
      "https://github.com/WithSecureLabs/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/OneDrive365RestFile.cpp",
      "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/listeners/onedrive.py"
    ],
    "detection": [
      "url: https://graph.microsoft.com/v1.0/me",
      "url: https://graph.microsoft.com/v1.0/me/messages",
      "url: https://graph.microsoft.com/v1.0/me/MailFolders/drafts/messages",
      "url: https://graph.microsoft.com/v1.0/me/drive/root/children",
      "url: https://graph.microsoft.com/v1.0/me/drive/items/*/content",
      "url: https://graph.microsoft.com/v1.0/me/chats",
      "url: https://graph.microsoft.com/v1.0/users/*/drive/root:/*",
      "url: https://graph.microsoft.com/v1.0/users/*/messages",
      "url: https://graph.microsoft.com/v1.0/drives/*/items/*/workbook/worksheets",
      "url: https://graph.microsoft.com/v1.0/sites/root",
      "url: https://graph.microsoft.com/v1.0/sites/*/drives",
      "url: https://graph.microsoft.com/v1.0/sites/*/drive/items/*/content",
      "url: https://graph.microsoft.com/v1.0/sites/*/lists/*",
      "url: https://graph.microsoft.com/v1.0/sites/*/lists/*/items/",
      "url: https://graph.microsoft.com/beta/*metadata#chats",
      "url: https://graph.microsoft.com/beta/*metadata#teams*/channels*/messages",
      "url: https://graph.microsoft.com/v1.0/*metadata#chats*/members",
      "url: https://graph.microsoft.com/v1.0/*metadata#teams*",
      "url: https://graph.microsoft.com/v1.0/users - bulk tenant user enumeration, returns all user objects (names, UPNs, job titles, departments, managers) with User.Read.All or Directory.Read.All",
      "url: https://graph.microsoft.com/v1.0/users/*/sendMail - email impersonation via Mail.Send application permission, sent email passes SPF/DKIM/DMARC from legitimate mailbox",
      "url: https://graph.microsoft.com/v1.0/servicePrincipals - privilege mapping and lateral recon, attackers enumerate all apps and their Graph permissions to find escalation paths",
      "url: https://graph.microsoft.com/beta/identity/conditionalAccess/policies - Conditional Access policy enumeration with Policy.Read.All, attacker maps policy exclusions and trusted locations before data access",
      "url: https://graph.microsoft.com/v1.0/groups - group membership enumeration for org chart mapping and BEC targeting",
      "url: https://graph.microsoft.com/v1.0/applications/*/addPassword - attacker adds new client secret to existing app registration for persistence",
      "url: https://graph.microsoft.com/v1.0/applications/*/addKey - attacker uploads certificate to app registration for persistent authentication",
      "url: https://graph.microsoft.com/v1.0/oAuth2PermissionGrants - consent grant manipulation, used in consent phishing to grant delegated permissions to malicious apps",
      "url: https://graph.microsoft.com/v1.0/servicePrincipals/*/appRoleAssignments - application permission escalation by granting app roles to a compromised service principal",
      "POST - url: https://login.microsoftonline.com/*/oauth2/v2.0/token",
      "detection strategy: POST body containing grant_type=client_credentials to login.microsoftonline.com token endpoint - machine-to-machine auth that bypasses MFA and Conditional Access entirely, the flow used in the Postman credential leak incident",
      "detection strategy: POST body containing grant_type=urn:ietf:params:oauth:grant-type:device_code to login.microsoftonline.com - device code phishing flow where victim authenticates on a real Microsoft page and unknowingly hands attacker a fully authenticated token including refresh token",
      "detection strategy: POST body containing grant_type=refresh_token from an IP address or device not matching the original authentication - indicates stolen refresh token reuse, bypasses MFA since authentication already completed",
      "detection strategy: Non-interactive sign-in events in Entra ID logs (signInEventTypes: nonInteractiveUser, servicePrincipal) - client_credentials token activity ONLY appears in non-interactive sign-in logs, not the interactive view most SOC teams monitor",
      "detection strategy: Service principal sign-in activity outside business hours, from unexpected IP ranges, or with atypical API call sequences - client_credentials tokens generate no user-facing signal",
      "detection strategy: Device code flow sign-ins (deviceCode grant type) in Entra ID logs where the application ID is unfamiliar or the device platform does not match the user's typical environment",
      "detection strategy: Service principal holding Mail.Read AND Mail.Send at application level - rarely legitimate, enables reading all tenant email plus sending as any user (BEC without phishing infrastructure)",
      "detection strategy: Service principal holding Files.ReadWrite.All at application level - tenant-wide OneDrive/SharePoint access, rarely necessary for legitimate applications",
      "detection strategy: Service principal holding User.Read.All or Directory.Read.All at application level - enables full tenant user enumeration, frequently over-provisioned",
      "detection strategy: Service principal holding Policy.Read.All - can read entire Conditional Access configuration to map defensive gaps before data access",
      "detection strategy: Tenant-wide admin consent grants for unfamiliar application IDs with broad delegated permissions (Mail.Read, Files.ReadWrite.All, User.Read.All) - consent phishing indicator",
      "detection strategy: POST to /applications/*/addPassword or /applications/*/addKey from unexpected identity - attacker adding new client secret or certificate to existing app registration for persistent access",
      "detection strategy: Service principal credential rotation gaps - secrets or certificates that have not been rotated and have long or no expiry dates, increasing window of exposure from leaked credentials",
      "detection strategy: POST to /oAuth2PermissionGrants from multiple users for the same unfamiliar AppId in a short period - consent phishing campaign indicator",
      "detection strategy: MicrosoftGraphActivityLogs (Azure Monitor diagnostic setting) - records ALL HTTP requests to Graph API per tenant, must be explicitly enabled, critical for detecting application-level data access that does not appear in standard audit logs",
      "detection strategy: Unusual Graph API call patterns in MicrosoftGraphActivityLogs - bulk /users enumeration, sequential /users/*/messages reads across many mailboxes, or /drive/root/children access across multiple OneDrive accounts in short timeframe",
      "detection strategy: Refresh token usage from unexpected geographic location or device profile after period of inactivity - indicates stolen refresh token from infostealer (Redline, Lumma, Raccoon) or browser token cache exfiltration",
      "detection strategy: Token refresh activity (POST /token) from your tenant referencing a client_id that does not belong to your organization - cross-tenant token abuse pattern used by Graph-based C2 implants",
      "detection strategy: Draft message creation/modification in mailboxes via /me/MailFolders/drafts/messages that is not associated with normal user activity - FINALDRAFT and AzureOutlookC2 C2 technique",
      "[GraphStrike] User-Agent: Mozilla/6.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
      "[GraphStrike] file name containing the string pD9-tK in O365 logs https://x.com/Octoberfest73/status/1896595415883292920",
      "detection strategy: Non-browser/non-Outlook process making HTTPS requests to graph.microsoft.com - strongest signal when correlated with process tree analysis",
      "detection strategy: Binary or script containing 'graph.microsoft.com' AND 'client_credentials' AND ('client_secret' OR 'client_id') - implant using client credentials flow for Graph C2",
      "detection blog: https://redsiege.com/blog/2024/01/graphstrike-developer/",
      "detection blog: https://infosecwriteups.com/microsoft-graph-api-attack-surface-oauth-flows-abused-endpoints-and-what-defenders-miss-9c303ea2aa02",
      "detection blog: https://www.paloaltonetworks.com/blog/security-operations/detecting-threats-with-microsoft-graph-activity-logs/",
      "detection blog: https://mattysplo.it/2025/02/07/graphapi.html",
      "detection strategy: [FINALDRAFT] C2 via Outlook drafts - parses commands from mailbox drafts folder via Graph API, writes execution results as new draft emails, 37 command handlers including process injection and PowerShell execution without powershell.exe (uses PowerPick), targets gov/defense/telco - REF7707/CL-STA-0049",
      "detection strategy: [SIESTAGRAPH] Predecessor to FINALDRAFT - uses Graph API for C2 via Outlook mail service, first reported by Elastic Security Labs in February 2023",
      "detection strategy: [Havoc/SharePoint C2] Modified Havoc framework using SharePoint via Graph API as FUD C2 - ClickFix phishing delivers multi-stage loader, each stage hidden behind SharePoint, C2 traffic blends with legitimate file collaboration",
      "detection strategy: [BirdyClient] Uses OneDrive via Graph API for C2 - involves vxdiff.dll and apoint.exe process artifacts",
      "detection strategy: [Graphite/Graphican] Graph API-based backdoors used by nation-state actors for C2, leveraging OneDrive and SharePoint endpoints",
      "detection strategy: [Bluelight] Exploits CVE-2021-40444, utilizes Graph API via OneDrive for C2 communications",
      "detection strategy: GraphApiAuditEvents table in Microsoft Defender XDR Advanced Hunting (public preview July 2025) - free alternative to MicrosoftGraphActivityLogs (Sentinel), captures ALL Graph API requests including read operations that were previously invisible in standard audit logs",
      "detection strategy: User-Agent containing 'azurehound' in MicrosoftGraphActivityLogs or GraphApiAuditEvents - pre-built AzureHound versions are trivially detectable via User-Agent string",
      "detection strategy: Single identity requesting 14+ distinct Graph API endpoint categories (users, groups, servicePrincipals, roleAssignments, applications, directoryRoles, etc.) within a 35-minute window - AzureHound/GraphRunner enumeration fingerprint",
      "detection strategy: Single identity requesting 23+ distinct Graph API endpoints with UPN-based queries in short timeframe - Purple Knight reconnaissance fingerprint",
      "detection strategy: PATCH requests to /applications/* or /servicePrincipals/* containing addPassword or addKey in RequestUri - attacker creating persistent backdoor credentials, treat as critical incident",
      "detection strategy: Single AppId performing GET requests to /users/*/messages across multiple distinct mailboxes (>5 unique UserId targets) in short timeframe - bulk email exfiltration pattern, cross-reference AppId with known legitimate applications",
      "detection strategy: Application using both Mail.Read (GET /messages) AND Mail.Send (POST /sendMail) via Graph API in same session - BEC pattern where attacker reads financial conversations then sends impersonation emails",
      "detection strategy: High-volume GET requests to /drive/items/*/content (ResponseStatusCode 302 or 200) from single AppId in short timeframe - 'smash and grab' document exfiltration, correlate with CloudAppEvents for downloaded item identification",
      "detection strategy: Creation of anonymous sharing links via Graph API (/createLink) followed by external access - data exfiltration via legitimate SharePoint sharing mechanism",
      "detection strategy: File download followed by file deletion via Graph API by same identity - anti-forensics pattern to cover exfiltration tracks",
      "detection strategy: Graph API requests originating from Azure VM Managed Identity tokens (exfiltrated via Instance Metadata Service at 169.254.169.254) - compromised cloud infrastructure pivoting to Graph for tenant enumeration",
      "detection strategy: login.microsoftonline.com/common/oauth2/token with refresh_token in request body where the refresh token was obtained from a configuration file or binary - FINALDRAFT stores refresh token in its embedded configuration",
      "detection strategy: Spike in ResponseStatusCode 401 or 403 from single AppId or ServicePrincipalId - enumeration attempts by compromised identity testing permission boundaries, often precedes successful data access after privilege discovery",
      "detection strategy: Correlate MicrosoftGraphActivityLogs with AADNonInteractiveUserSignInLogs on SignInActivityId/UniqueTokenIdentifier to map Graph API calls back to the specific authentication event and token that authorized them",
      "detection strategy: Correlate Graph API caller IP addresses with geo_info_from_ip_address() - Graph API calls from geographic locations inconsistent with the service principal's or user's normal operating location indicate token theft",
      "detection strategy: Join MicrosoftGraphActivityLogs with AADRiskyUsers on UserId to surface Graph API activity from accounts already flagged as risky by Entra ID Protection",
      "detection blog: https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/hunting-with-microsoft-graph-activity-logs/4234632",
      "detection blog: https://kqlquery.com/posts/graphapiauditevents/",
      "detection blog: https://cloudbrothers.info/en/detect-threats-microsoft-graph-logs-part-1/",
      "detection blog: https://practical365.com/investigating-oauth-app-abuse-with-the-graph-activity-log/",
      "detection blog: https://practical365.com/investigating-document-exfiltration-with-the-graph-activity-log/",
      "detection blog: https://www.cloud-architekt.net/token-hunting-workload-identity-activity/",
      "detection blog: https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2024-010/",
      "detection strategy: MailItemsAccessed audit event with AppId=00000003-0000-0000-c000-000000000000 (Microsoft Graph) - confirms email was accessed programmatically via Graph API rather than Outlook client, pivot on ClientAppId to identify the specific application",
      "detection strategy: MailItemsAccessed Throttling (>1000 records in 24hrs triggers throttling) - the presence of throttling itself is a strong compromise indicator since fewer than 1% of mailboxes in Exchange Online are throttled (Microsoft/NOBELIUM hunting query)",
      "detection strategy: MailItemsAccessed where single ClientAppId accesses >5 unique mailboxes within a 10-minute window - bulk email harvesting pattern, filter on AppId=00000003-0000-0000-c000-000000000000 for Graph-specific access (Splunk detection)",
      "url: https://graph.microsoft.com/v1.0/users/*/mailFolders/inbox/messageRules - inbox rule creation endpoint, POST creates forwarding/redirect rules used for BEC email interception",
      "detection strategy: POST to /mailFolders/inbox/messageRules or /mailFolders/inbox/rules in MicrosoftGraphActivityLogs - creation of inbox forwarding rules via Graph API, check for forwardTo, forwardAsAttachmentTo, or redirectTo actions pointing to external addresses",
      "detection strategy: DELETE requests to /users/*/messages/* in MicrosoftGraphActivityLogs - message deletion via Graph API, especially when correlated with prior GET/read activity from same AppId indicates evidence destruction after exfiltration",
      "detection strategy: Previously unseen AppId + UserPrincipalObjectId combination accessing email-related Graph endpoints (/me/messages, /sendMail, /mailFolders/inbox/messages) within last 14 days - New Terms detection for phished OAuth refresh tokens or compromised Primary Refresh Tokens (Elastic Security rule)",
      "detection strategy: Previously unseen AppId making Graph API calls in tenant - baseline known legitimate AppIds and alert on any new application accessing Graph, especially with Mail, Files, or Directory permissions",
      "url: https://graph.microsoft.com/v1.0/subscriptions - Graph API change notification subscriptions, attacker can create webhooks to receive real-time notifications when mail arrives or files change, enabling passive monitoring without repeated polling",
      "detection strategy: PATCH to /users/*/mailboxSettings via Graph API - modification of mailbox settings (auto-forwarding, automatic replies, locale) can be used for persistence or to redirect email without creating visible inbox rules",
      "detection strategy: Graph API calls with $filter, $search, or $select OData parameters targeting sensitive content in /messages endpoint - attackers use server-side filtering (e.g. $search=\"password\" OR $filter=subject eq 'wire transfer') to precisely target high-value emails without downloading entire mailboxes",
      "detection strategy: Graph API calls to /security/cases/ediscoveryCases or Purview compliance search endpoints from unexpected identities - attackers with sufficient privileges abuse eDiscovery/compliance search to perform broad keyword searches across all tenant mailboxes (CISA AA21-008a)",
      "detection strategy: Unified Audit Log 'Send' event from mailbox where prior MailItemsAccessed shows Graph API access from different IP/application - email sent by attacker from compromised account after programmatic mailbox access, differentiates attacker-sent vs user-sent messages",
      "detection blog: https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-dissecting-email-collection-techniques.html",
      "detection blog: https://www.elastic.co/guide/en/security/8.19/suspicious-email-access-by-first-party-application-via-microsoft-graph.html",
      "detection blog: https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-008a",
      "detection blog: https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf",
      "detection blog: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exfiltration/MailItemsAccessed%20Throttling%20%5BNobelium%5D.md",
      "detection blog: https://practical365.com/investigating-mailbox-breaches-with-the-graph-activity-log/",
      "detection blog: https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2"
    ]
  },
  "Microsoft outlook": {
    "descriptionUrl": "doc/outlook.md",
    "c2Projects": [
      "https://github.com/trustedsec/specula",
      "https://github.com/boku7/azureOutlookC2"
    ],
    "detection": [
      "[specula] - User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 10.0; WOW64; Trident/7.0; Specula; Microsoft Outlook*",
      "[Specula] - detection patterns https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/specula.csv",
      "[azureOutlookC2] url: https://login.microsoftonline.com/*/oauth2/token?api-version=1.0",
      "[azureOutlookC2] url: https://graph.microsoft.com/v1.0/me/MailFolders/drafts/messages",
      "[azureOutlookC2] url: https://graph.microsoft.com/v1.0/me/messages",
      "[azureOutlookC2] email recipient: Bobby.Cooke@0xBoku.com",
      "[azureOutlookC2] email subject: 'Azure Outlook Command & Control'",
      "[azureOutlookC2] User-Agent: 'Mozilla'",
      "detection strategy: Non-Outlook process making Graph API calls to /me/MailFolders/drafts/messages \u2014 draft dead-drop C2 pattern",
      "detection strategy: Outlook Specular homepage hijacking \u2014 HKCU registry modification setting custom WebView URL for Outlook folder home pages"
    ]
  },
  "Microsoft Power Automate": {
    "descriptionUrl": "doc/power_automate.md",
    "c2Projects": [
      "https://github.com/NTT-Security-Japan/pac2"
    ],
    "detection": [
      "url: https://graph.microsoft.com/v1.0/*metadata#teams*",
      "url: https://graph.microsoft.com/v1.0/*metadata#chats*/members",
      "url: https://graph.microsoft.com/beta/*metadata#chats",
      "url: https://graph.microsoft.com/beta/*metadata#teams*/channels*/messages",
      "url: https://www.dropbox.com/cli_link_nonce?nonce=f*",
      "url: https://content.dropboxapi.com/2/files/upload",
      "url: https://api.dropboxapi.com/2/files/download",
      "[pac2] url: http://dummy.pac2.localhost:9999",
      "[pac2] url: http://localhost:9999/login",
      "[pac2] url: http://localhost:9999/register",
      "[pac2] url: http://localhost:9999/portal",
      "[pac2] url: */providers/Microsoft.PowerApps/apis/shared_flowmanagement",
      "[pac2] url: */providers/Microsoft.PowerApps/apis/shared_dropbox",
      "[pac2] url: *pac2/*/upload/connections.json",
      "[pac2] url: *pac2/*/payload",
      "[pac2] url: https://make.powerautomate.com",
      "[pac2] url: */portal/client/payload",
      "[pac2] url: */api/teams/messages?channel_id=*",
      "[pac2] url: */portal/teams?client_id=*",
      "[pac2] url: */api/teams/chats",
      "[pac2] url: */api/teams/channels",
      "[pac2] url: */api/teams/messages",
      "[pac2] url: */api/teams/graph",
      "[pac2] url: */teams/chat_members",
      "[pac2] User-Agent: azure-logic-apps/1.0",
      "[pac2] file: */mount/dropbox/Dropbox/pac2",
      "[pac2] file: /c2_access.log",
      "detection strategy: Non-browser process making API calls to make.powerautomate.com or flow.microsoft.com endpoints",
      "detection strategy: Power Automate flows created with connections to external services (Dropbox, Teams) that weren't sanctioned by IT"
    ]
  },
  "Microsoft Azure Functions": {
    "descriptionUrl": "doc/azure_functions.md",
    "c2Projects": [
      "https://github.com/RedSiege/FunctionalC2",
      "https://github.com/dmcxblue/AzureFunctionRedirector",
      "https://web.archive.org/web/20241203083420/https://fortynorthsecurity.com/blog/azure-functions-functional-redirection/",
      "https://github.com/Flangvik/AzureC2Relay"
    ],
    "detection": [
      "Before forwarding: only url: https://*.azurewebsites.net/api/*",
      "POST - url: */FortyNorth/PostIt",
      "GET - url: */FortyNorth/GetIt",
      "url: */FortyNorth/StageIt",
      "User-Agent: Microsoft-CryptoAPI/6.1",
      "detection strategy: Outbound connections to *.azurewebsites.net/api/* from processes that don't normally interact with Azure Functions",
      "detection strategy: Azure Function app used as HTTP redirector \u2014 traffic pattern shows client to Azure Function to actual C2 server relay",
      "detection strategy: Function app created under attacker-controlled Azure subscription serving as a proxy for Cobalt Strike or other C2 traffic",
      "detection strategy: Unusual User-Agent strings (e.g., Microsoft-CryptoAPI/6.1) in requests routed through Azure Function endpoints",
      "detection strategy: Azure Function endpoints responding with encoded or binary payloads inconsistent with legitimate API responses"
    ]
  },
  "soundcloud": {
    "descriptionUrl": "doc/soundcloud.md",
    "c2Projects": [
      "https://github.com/reevesrs24/LivingOffAlexa"
    ],
    "detection": [
      "https://api-v2.soundcloud.com/*",
      "https://api.soundcloud.com/*",
      "https://cf-media.sndcdn.com/*",
      "detection strategy: Non-browser process making API calls to api-v2.soundcloud.com or api.soundcloud.com",
      "detection strategy: SoundCloud track descriptions or comments containing encoded command/response data",
      "detection strategy: Periodic polling of specific SoundCloud resources at regular intervals"
    ]
  },
  "spotify": {
    "descriptionUrl": "doc/spotify.md",
    "c2Projects": [
      "https://github.com/Kaiser784/SoundShell"
    ],
    "detection": [
      "url: https://p.scdn.co/mp3-preview/",
      "url: https://api.spotify.com/v1/*",
      "detection strategy: Non-browser/non-Spotify process making API calls to api.spotify.com/v1/ endpoints",
      "detection strategy: Spotify playlist descriptions or track metadata containing encoded command strings",
      "detection strategy: Spotify OAuth tokens stored in scripts or binary strings on disk"
    ]
  },
  "Microsoft Teams": {
    "descriptionUrl": "doc/teams.md",
    "c2Projects": [
      "https://github.com/cxnturi0n/convoC2",
      "https://github.com/NTT-Security-Japan/pac2"
    ],
    "detection": [
      "url: https://teams.microsoft.com/api/chatsvc/*/v1/threads",
      "url: https://teams.microsoft.com/api/chatsvc/*/v1/users/ME/conversations/",
      "detection strategy: Non-Teams process making API calls to teams.microsoft.com/api/chatsvc/ endpoints",
      "detection strategy: Teams chat messages containing encoded or structured command/response strings from automated processes",
      "detection strategy: Periodic polling of Teams conversation threads at regular intervals from non-Teams applications"
    ]
  },
  "discord": {
    "descriptionUrl": "doc/discord.md",
    "c2Projects": [
      "https://github.com/MythicC2Profiles/discord",
      "https://github.com/3ct0s/disctopia-c2",
      "https://github.com/emmaunel/DiscordGo",
      "https://github.com/crawl3r/DaaC2",
      "https://github.com/th3r4ven/Bifrost",
      "https://github.com/kensh1ro/Willie-C2",
      "https://github.com/codeuk/discord-rat",
      "https://github.com/Vczz0/Cerberos-C2",
      "https://github.com/3NailsInfoSec/DCVC2",
      "https://github.com/hoaan1995/ZER0BOT",
      "https://github.com/Jeff53978/Python-Trojan",
      "https://github.com/WithSecureLabs/C3/blob/master/Src/Common/FSecure/Discord/DiscordApi.cpp"
    ],
    "detection": [
      "url: https://discord.com/api/*",
      "url: https://discord.com/api/v9/channels/*",
      "url: https://discord.com/api/v9/guilds/*",
      "POST - url: https://discord.com/api/webhooks/*/*",
      "POST - url: https://discord.com/api/v9/channels/*/messages",
      "GET - url: https://discord.com/api/v9/channels/*/messages",
      "PUT - url: https://discord.com/api/v9/channels/*/messages/*",
      "DELETE - url: https://discord.com/api/v9/channels/*/messages/*",
      "POST - url: https://discord.com/api/v9/guilds/*/channels",
      "GET - url: https://discord.com/api/v9/users/@me",
      "url: https://cdn.discordapp.com/attachments/*/*",
      "detection strategy: Non-browser process making HTTPS POST requests to discord.com/api/webhooks/ \u2014 webhook URLs are write-only and require no authentication",
      "detection strategy: Non-Discord process (python.exe, powershell.exe, curl.exe, node.exe, compiled binaries) making API calls to discord.com/api/v9/",
      "detection strategy: Requests to discord.com/api coupled with prior API calls to IP lookup services (ipify.org, ip-api.com) \u2014 common initial C2 beacon pattern",
      "detection strategy: Discord webhook URLs (discord.com/api/webhooks/<id>/<token>) embedded in scripts, npm packages, or binary strings on disk",
      "detection strategy: Bot token strings in Authorization headers matching pattern Bot [A-Za-z0-9._-]+ in outbound HTTPS requests to discord.com",
      "detection strategy: Malware creating a new Discord channel named after the victim hostname then posting command output as file attachments",
      "detection strategy: Outbound file uploads to discord.com/api/v9/channels/*/messages with multipart form data from non-Discord processes (data exfiltration)",
      "[ChaosBot] Rust-based RAT creates per-victim Discord channels, uses DLL side-loading via identity_helper.exe",
      "[Skuld] Open-source Go infostealer exfiltrates browser credentials and cookies via Discord webhooks",
      "[LEAKGAP/Pay2Decrypt] Ransomware uses Discord webhooks for bot registration and post-infection C2",
      "detection blog: https://blog.talosintelligence.com/collab-app-abuse/"
    ]
  },
  "splunk": {
    "descriptionUrl": "doc/splunk.md",
    "c2Projects": [
      "https://github.com/cnotin/SplunkWhisperer2"
    ],
    "detection": [
      "url: https://*:8089/services/apps/local",
      "url: https://*:8089/servicesNS/nobody/system/apps/local",
      "url: https://*:8089/services/deployment/server/clients",
      "url: https://*:8089/services/auth/login",
      "POST - url: https://*:8089/services/apps/local -d name=*",
      "detection strategy: Unexpected connections to Splunk management port 8089 from non-Splunk processes or unauthorized hosts",
      "detection strategy: Authentication to Splunk UF management API using default credentials (admin/changeme)",
      "detection strategy: New Splunk app deployment (servicesNS/nobody/system/apps/local) from an unrecognized deployment server IP",
      "detection strategy: Splunk Universal Forwarder deploy-poll configuration changed to point to an unknown or unauthorized deployment server",
      "detection strategy: Scripted inputs executing unexpected commands (cmd.exe, powershell.exe, bash) spawned from splunkd process",
      "detection strategy: ARP spoofing activity targeting the Splunk Deployment Server IP address followed by app deployment on port 8089",
      "file: New or modified .bat/.ps1/.sh files appearing in $SPLUNK_HOME/etc/apps/*/bin/ directories",
      "process: Child processes of splunkd.exe or splunkd running cmd.exe, powershell.exe, or bash with unexpected arguments",
      "detection blog: https://clement.notin.org/blog/2019/02/25/Splunk-Universal-Forwarder-Hijacking-2-SplunkWhisperer2/"
    ]
  },
  "lichess": {
    "descriptionUrl": "doc/lichess.md",
    "c2Projects": [
      "https://github.com/0x-Apollyon/Malnus-Carlware"
    ],
    "detection": [
      "POST - url: https://lichess.org/api/bot/game/*/move/*",
      "POST - url: https://lichess.org/api/challenge/*",
      "GET - url: https://lichess.org/api/stream/event",
      "GET - url: https://lichess.org/api/bot/game/stream/",
      "detection strategy: Non-browser process making API calls to lichess.org/api/ endpoints",
      "detection strategy: Bot game moves containing encoded command data \u2014 unusual move patterns or game metadata",
      "detection strategy: Lichess API tokens stored in scripts or binary strings on disk"
    ]
  },
  "mattermost": {
    "descriptionUrl": "doc/mattermost.md",
    "c2Projects": [
      "https://github.com/WithSecureLabs/C3/blob/master/Src/Common/FSecure/Mattermost/MattermostApi.cpp"
    ],
    "detection": [
      "url: */api/v4/users/*",
      "url: */api/v4/users/username/*",
      "url: */api/v4/posts/*",
      "url: */api/v4/channels",
      "url: */api/v4/teams?page=*&per_page=30&include_total_count=true",
      "url: */api/v4/channels?exclude_default_channels=true",
      "url: */api/v4/teams/name/*/channels/name/*",
      "url: */api/v4/posts/*/thread",
      "url: */api/v4/channels/*/posts?per_page=200&page=*",
      "url: */api/v4/posts/*/patch",
      "url: */api/v4/files/*/link",
      "detection strategy: Non-browser process making API calls to */api/v4/ endpoints on a Mattermost server",
      "detection strategy: Periodic polling of channel posts at regular intervals indicating C2 command polling",
      "detection strategy: Mattermost Personal Access Tokens stored in scripts or binary strings on disk"
    ]
  },
  "google Sheet": {
    "descriptionUrl": "doc/google_sheet.md",
    "c2Projects": [
      "https://github.com/looCiprian/GC2-sheet",
      "https://github.com/a-rey/google_RAT"
    ],
    "detection": [
      "url: https://sheets.googleapis.com/*",
      "url: https://www.googleapis.com/drive/*",
      "url: https://www.googleapis.com/auth/spreadsheets",
      "url: https://www.googleapis.com/auth/spreadsheets.readonly",
      "url: https://sheets.googleapis.com/v4/spreadsheets/*:batchUpdate",
      "url: https://sheets.googleapis.com/v4/spreadsheets/*/values/*?valueInputOption=RAW",
      "url: https://sheets.googleapis.com/v4/spreadsheets/*/values:batchGet?*&ranges=*",
      "detection strategy: Non-browser process making API calls to sheets.googleapis.com \u2014 especially batchUpdate or values endpoints",
      "detection strategy: Periodic polling of specific spreadsheet cells at regular intervals indicating C2 task polling"
    ]
  },
  "Microsoft Sharepoint": {
    "descriptionUrl": "doc/sharepoint.md",
    "c2Projects": [
      "https://github.com/RedSiege/GraphStrike"
    ],
    "detection": [
      "url: https://graph.microsoft.com/v1.0/sites/*/lists/*/items/",
      "url: https://graph.microsoft.com/v1.0/sites/*/lists/*",
      "[Graphstrike] file name: file name containing the string pD9-tK in O365 logs https://x.com/Octoberfest73/status/1896595415883292920",
      "detection strategy: Non-browser/non-Office process making Graph API calls to /sites/*/lists/ endpoints",
      "detection strategy: SharePoint list items containing encoded or structured command/response data",
      "detection strategy: Periodic polling of specific SharePoint list items at regular intervals from automated processes"
    ]
  },
  "google Drive": {
    "descriptionUrl": "doc/google_drive.md",
    "c2Projects": [
      "https://github.com/lukebaggett/google_socks",
      "https://github.com/DannyPenten/Rust-DriveC2",
      "https://github.com/WithSecureLabs/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/GoogleDrive.cpp",
      "https://github.com/looCiprian/GC2-sheet"
    ],
    "detection": [
      "url: https://www.googleapis.com/drive/*",
      "POST - url: https://www.googleapis.com/upload/drive/v3/files?*",
      "GET - url: https://www.googleapis.com/drive/v3/files/*",
      "url: https://www.googleapis.com/auth/drive",
      "url: https://oauth2.googleapis.com/token",
      "url: https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart",
      "url: https://www.googleapis.com/drive/v3/files?q=mimeType%20%3D%20%27application%2Fvnd.google-apps.folder%27*",
      "url: https://www.googleapis.com/drive/v3/files?q=mimeType%20=%20%27application/octet-stream%27%20and%20name%20contains%20%27*",
      "url: https://www.googleapis.com/drive/v3/files/*",
      "detection strategy: Non-browser process making API calls to googleapis.com/drive/ \u2014 especially from servers where Google Drive client is not installed",
      "detection strategy: Periodic file listing or download from a specific Drive folder at regular intervals (C2 command polling)",
      "detection strategy: OAuth refresh tokens for Google Drive scope stored in scripts, configuration files, or binary strings on disk",
      "detection strategy: Uploads of files with generic names to Google Drive via multipart upload API from non-browser processes"
    ]
  },
  "google Calendar": {
    "descriptionUrl": "doc/google_calendar.md",
    "c2Projects": [
      "https://github.com/MrSaighnal/GCR-Google-Calendar-RAT",
      "https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics",
      "https://github.com/deriv-security/MeetC2"
    ],
    "detection": [
      "url: https://www.googleapis.com/auth/calendar*",
      "GET - url:  https://www.googleapis.com/calendar/v3/calendars/*/events*",
      "POST - url: https://www.googleapis.com/calendar/v3/calendars/*/events*",
      "User-Agent - contains suspicious tooling (e.g. Python, curl, Go-http-client) targeting calendar.googleapis.com",
      "Process - python.exe making direct outbound connection to calendar.googleapis.com",
      "Process - rare binary name contacting *.googleapis.com with calendar/v3 path",
      "detection strategy: Non-browser process making API calls to calendar.googleapis.com from a non-calendar application",
      "detection strategy: Calendar events with encoded or structured command strings in description fields"
    ]
  },
  "google Slides": {
    "descriptionUrl": "doc/google_slides.md",
    "c2Projects": [
      "https://github.com/MrSaighnal/GSR-Google-Slides-RAT"
    ],
    "detection": [
      "GET - url: https://slides.googleapis.com/v1/presentations/*",
      "POST - url: https://slides.googleapis.com/v1/presentations/*:batchUpdate",
      "detection strategy: Non-browser process making API calls to slides.googleapis.com endpoints",
      "detection strategy: Presentation table cells containing encoded command/response strings updated at regular intervals"
    ]
  },
  "github": {
    "descriptionUrl": "doc/github.md",
    "c2Projects": [
      "https://github.com/3ct0s/disctopia-c2",
      "https://github.com/TheD1rkMtr/GithubC2",
      "https://github.com/MythicC2Profiles/github",
      "https://github.com/offalltn/gitC2",
      "https://github.com/Cherno-x/Redeemer-C2"
    ],
    "detection": [
      "url: https://api.github.com/*",
      "url: https://*.app.github.dev/*",
      "url: https://*actions.githubusercontent.com*",
      "url: https://raw.githubusercontent.com*",
      "url: https://codeload.github.com*",
      "url: https://objects.githubusercontent.com/github-production-release-asset-*",
      "url: https://gist.githubusercontent.com/*/*/raw/*",
      "detection strategy: Non-browser process making authenticated API calls to api.github.com \u2014 especially from servers where Git/GitHub Desktop is not installed",
      "detection strategy: Periodic polling of GitHub issue comments, gist content, or commit messages at regular intervals (C2 command polling)",
      "detection strategy: GitHub Personal Access Tokens (ghp_*) or OAuth tokens stored in scripts, environment variables, or binary strings",
      "detection strategy: Base64 or encoded content in GitHub issue comments, gist updates, or commit messages used as command/response channels",
      "detection strategy: GitHub Actions workflows triggered by repository events used to execute commands on self-hosted runners"
    ]
  },
  "youtube": {
    "descriptionUrl": "doc/youtube.md",
    "c2Projects": [
      "https://github.com/latortuga71/YoutubeAsAC2",
      "https://github.com/woj-ciech/Social-media-c2",
      "https://github.com/ricardojoserf/SharpCovertTube"
    ],
    "detection": [
      "url: https://www.googleapis.com/youtube/*",
      "url: https://www.googleapis.com/youtube/v3/commentThreads?key=*",
      "detection strategy: Non-browser process making API calls to googleapis.com/youtube/v3/ endpoints",
      "detection strategy: YouTube video comments or descriptions containing encoded command/response data",
      "detection strategy: Periodic polling of specific YouTube comment threads at regular intervals"
    ]
  },
  "pastebin": {
    "descriptionUrl": "doc/pastebin.md",
    "c2Projects": [
      "https://github.com/3ndG4me/AgentSmith",
      "https://github.com/PeterEdtu/Pastebad-Reverse-Shell"
    ],
    "detection": [
      "url: https://pastebin.com/api/api_post.php",
      "url: https://pastebin.com/api/*",
      "url: *pastebin.com/raw/*",
      "url: *pastebin.com/rw/*",
      "detection strategy: Non-browser process making API calls to pastebin.com/api/ or fetching raw pastes from pastebin.com/raw/",
      "detection strategy: Periodic polling of specific Pastebin paste URLs at regular intervals indicating C2 task retrieval",
      "detection strategy: Pastebin API developer keys stored in scripts or binary strings on disk"
    ]
  },
  "reddit": {
    "descriptionUrl": "doc/reddit.md",
    "c2Projects": [
      "https://github.com/kleiton0x00/RedditC2",
      "https://github.com/thrasr/reddit-c2"
    ],
    "detection": [
      "url: https://www.reddit.com/api/*",
      "url: https://oauth.reddit.com/api/*",
      "url: https://www.reddit.com/api/v1/access_token",
      "POST - url: https://oauth.reddit.com/api/comment",
      "GET - url: https://oauth.reddit.com/r/*/comments/*",
      "POST - url: https://oauth.reddit.com/api/editusertext",
      "GET - url: https://oauth.reddit.com/api/v1/me",
      "[RedditC2] User-Agent: python:RedditC2:v1.0",
      "detection strategy: Non-browser process making HTTPS requests to oauth.reddit.com or www.reddit.com/api/ endpoints",
      "detection strategy: Periodic GET requests to a specific subreddit post's comment thread at regular intervals (command polling pattern)",
      "detection strategy: Comments containing prefixed strings like 'in:' or 'out:' used as command/response markers in subreddit posts",
      "detection strategy: Reddit OAuth client credentials (client_id/secret) stored in configuration files on disk",
      "detection strategy: Rapid sequence of POST (comment) \u2192 GET (read reply) \u2192 POST (edit to 'executed') on the same Reddit thread"
    ]
  },
  "dropbox": {
    "descriptionUrl": "doc/dropbox.md",
    "c2Projects": [
      "https://github.com/Arno0x/DBC2",
      "https://github.com/NTT-Security-Japan/pac2",
      "https://github.com/WithSecureLabs/C3/blob/master/Src/Common/FSecure/C3/Interfaces/Channels/Dropbox.cpp",
      "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/listeners/dbx.py"
    ],
    "detection": [
      "url: https://api.dropboxapi.com/*",
      "url: https://api.dropboxapi.com/2/files/list_folder",
      "url: https://api.dropboxapi.com/2/files/create_folder_v2",
      "url: https://api.dropboxapi.com/2/files/search_v2",
      "url: https://api.dropboxapi.com/2/files/search/continue_v2",
      "url: https://content.dropboxapi.com/2/files/download",
      "[empire] User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
      "detection strategy: Non-browser process making API calls to api.dropboxapi.com \u2014 especially from servers where Dropbox client is not installed",
      "detection strategy: Periodic polling of specific Dropbox folders via list_folder at regular intervals (C2 command polling pattern)",
      "detection strategy: Dropbox OAuth tokens or API keys stored in scripts, environment variables, or binary strings on disk",
      "detection strategy: File upload to Dropbox (content.dropboxapi.com/2/files/upload) from non-Dropbox processes containing encoded payloads"
    ]
  },
  "instagram": {
    "descriptionUrl": "doc/instagram.md",
    "c2Projects": [
      "https://github.com/woj-ciech/Social-media-c2"
    ],
    "detection": [
      "url: https://api.instagram.com/oauth/*",
      "url: https://graph.instagram.com/*",
      "detection strategy: Non-browser/non-Instagram process making OAuth or Graph API calls to graph.instagram.com",
      "detection strategy: Instagram post captions or comments containing encoded command/response data",
      "detection strategy: Instagram API tokens stored in scripts or configuration files on disk"
    ]
  },
  "zoom": {
    "descriptionUrl": "doc/zoom.md",
    "c2Projects": [
      "https://github.com/0xEr3bus/ShadowForgeC2"
    ],
    "detection": [
      "url: https://api.zoom.us/v2/chat/users/me/*",
      "url: https://api.zoom.us/v2/chat/users/me/messages",
      "GET - url: https://api.zoom.us/v2/chat/users/me/channels",
      "POST - url: https://api.zoom.us/v2/chat/users/me/messages",
      "PUT - url: https://api.zoom.us/v2/chat/users/me/messages/*",
      "DELETE - url: https://api.zoom.us/v2/chat/users/me/messages/*",
      "url: https://zoom.us/oauth/token",
      "detection strategy: Non-browser process making HTTPS requests to api.zoom.us from a server or workstation where Zoom client is not installed",
      "detection strategy: Periodic polling of /v2/chat/users/me/messages at regular intervals from a non-Zoom process (command polling)",
      "detection strategy: OAuth token refresh requests to zoom.us/oauth/token from scripted or automated processes",
      "detection strategy: Zoom chat messages containing encoded or structured command strings (base64, hex, or delimiter-separated payloads)"
    ]
  },
  "virustotal": {
    "descriptionUrl": "doc/virustotal.md",
    "c2Projects": [
      "https://github.com/RATandC2/VirusTotalC2",
      "https://github.com/D1rkMtr/VirusTotalC2",
      "https://github.com/g0h4n/REC2",
      "https://github.com/samuelriesz/SharpHungarian"
    ],
    "detection": [
      "url: https://www.virustotal.com/api/v3/*/comments",
      "url: https://www.virustotal.com/api/v2/*/comments",
      "POST - url: https://www.virustotal.com/api/v3/files/*/comments",
      "GET - url: https://www.virustotal.com/api/v3/files/*/comments",
      "POST - url: https://www.virustotal.com/api/v3/urls/*/comments",
      "GET - url: https://www.virustotal.com/api/v3/urls/*/comments",
      "detection strategy: Non-browser process making authenticated API calls to virustotal.com/api/ with x-apikey header",
      "detection strategy: Periodic polling of file or URL comments at regular intervals \u2014 agent reads commands from comments on a specific VT object",
      "detection strategy: VirusTotal API keys (64-character hex strings) stored in scripts, environment variables, or binary strings on disk",
      "detection strategy: Comments posted to VT objects containing encoded or structured command/response strings rather than legitimate analysis notes"
    ]
  },
  "zulip": {
    "descriptionUrl": "doc/zulip.md",
    "c2Projects": [
      "https://github.com/n1k7l4i/goZulipC2"
    ],
    "detection": [
      "url: https://*.zulipchat.com/api/v1/messages*",
      "url: https://*.zulipchat.com/api/v1/user_uploads*",
      "url: https://*.zulipchat.com/api/v1/users/me/subscriptions*",
      "url: https://*.zulipchat.com/api/v1/get_stream_id?stream=*",
      "detection strategy: Non-browser process making API calls to *.zulipchat.com/api/v1/ endpoints",
      "detection strategy: Periodic polling of Zulip message streams at regular intervals from automated processes",
      "detection strategy: Zulip API keys stored in scripts or configuration files on disk"
    ]
  },
  "notion": {
    "descriptionUrl": "doc/notion.md",
    "c2Projects": [
      "https://github.com/mttaggart/OffensiveNotion",
      "https://github.com/0xbbuddha/notion",
      "https://github.com/CodeXTF2/HavocNotion",
      "https://github.com/NotSooShariff/hog-c2"
    ],
    "detection": [
      "url: https://api.notion.com/*",
      "GET - url: https://api.notion.com/v1/blocks/*/children",
      "PATCH - url: https://api.notion.com/v1/blocks/*",
      "POST - url: https://api.notion.com/v1/pages",
      "GET - url: https://api.notion.com/v1/pages/*",
      "POST - url: https://api.notion.com/v1/databases/*/query",
      "detection strategy: Non-browser process making HTTPS requests to api.notion.com \u2014 legitimate Notion usage is almost exclusively via the Notion desktop/web app",
      "detection strategy: Periodic GET requests to /v1/blocks/*/children or /v1/pages/* at regular intervals (command polling pattern)",
      "detection strategy: PATCH requests to /v1/blocks/* containing encoded payloads or structured command strings (result write-back)",
      "detection strategy: Notion API integration tokens (secret_*) or Bearer tokens stored in script files, environment variables, or binary strings on disk",
      "detection strategy: Rapid alternating pattern of GET (read page) \u2192 PATCH (update block) on the same Notion page indicating bidirectional C2 communication",
      "[APT29/GraphicalNeutrino] Notion API abused for C2 in campaign targeting European Commission (2022)",
      "detection blog: https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58"
    ]
  },
  "matrix": {
    "descriptionUrl": "doc/matrix.md",
    "c2Projects": [
      "https://github.com/n1k7l4i/goMatrixC2/",
      "https://github.com/opensesamedoors/goMatrixC2"
    ],
    "detection": [
      "POST - url: https://matrix.org/_matrix/client/r0/rooms/*/send/m.room.message",
      "GET - url: https://matrix.org/_matrix/client/r0/rooms/*/messages",
      "detection strategy: Non-browser/non-Element process making API calls to matrix.org/_matrix/client/ endpoints",
      "detection strategy: Periodic polling of Matrix room messages at regular intervals from automated processes",
      "detection strategy: Matrix access tokens stored in scripts or binary strings on disk",
      "detection strategy: Room messages containing encoded or structured command/response strings"
    ]
  },
  "openai": {
    "descriptionUrl": "doc/openai.md",
    "c2Projects": [
      "https://github.com/spartan-conseil/ratchatpt",
      "https://github.com/Trivulzianus/LargeLanguageC2"
    ],
    "detection": [
      "POST & GET - url: https://api.openai.com/v1/files*",
      "POST - url: https://api.openai.com/v1/files/*",
      "POST - url: *files.oaiusercontent.com*",
      "GET - url: https://api.openai.com/v1/files/*/content*",
      "detection strategy: Non-browser process making API calls to api.openai.com from processes other than legitimate AI tooling",
      "detection strategy: OpenAI Files API used to upload/download payloads \u2014 files.oaiusercontent.com accessed from non-browser processes",
      "detection strategy: OpenAI API keys (sk-*) stored in unexpected locations outside approved AI tooling"
    ]
  },
  "claude": {
    "descriptionUrl": "doc/claude.md",
    "c2Projects": [
      "https://github.com/dmcxblue/Claude-C2"
    ],
    "detection": [
      "POST - url: https://api.anthropic.com/v1/messages",
      "POST - url: https://api.anthropic.com/v1/message_batches",
      "POST - url: https://api.anthropic.com/v1/files",
      "GET - url: https://api.anthropic.com/v1/files/*/content",
      "detection strategy: Non-browser process making API calls to api.anthropic.com from processes other than legitimate AI tooling",
      "detection strategy: Anthropic API keys (sk-ant-*) stored in unexpected script files or binary strings on disk",
      "detection strategy: File uploads to api.anthropic.com/v1/files from automated processes for data staging/exfiltration"
    ]
  },
  "Microsoft Azure Blob Storage": {
    "descriptionUrl": "doc/azure_blob_storage.md",
    "c2Projects": [
      "https://github.com/Quarkslab/ProxyBlob"
    ],
    "detection": [
      "GET - url: *.blob.core.windows.net/*",
      "PUT - url: *.blob.core.windows.net/*",
      "HEAD - url: *.blob.core.windows.net/*",
      "DELETE - url: *.blob.core.windows.net/*",
      "POST - url: *.blob.core.windows.net/*",
      "detection strategy: Non-browser process making frequent PUT/GET requests to *.blob.core.windows.net indicating tunneled traffic",
      "detection strategy: Blob container used as SOCKS proxy relay \u2014 high-frequency small read/write operations to the same container",
      "detection strategy: Unusual binary or encoded content in blob objects accessed from internal hosts"
    ]
  },
  "Wi-Fi Beacons": {
    "descriptionUrl": "doc/wifi_beacons.md",
    "c2Projects": [
      "https://github.com/V-i-x-x/WIFIAIR-C2-Channel"
    ],
    "detection": [
      "detection strategy: Unusually frequent SSID changes on nearby Wi-Fi access points or beacon frames containing non-human-readable SSID strings",
      "detection strategy: 802.11 beacon frames with SSID fields containing base64-encoded, hex-encoded, or fragmented data patterns",
      "detection strategy: Wireless IDS detecting beacon frames from unknown BSSIDs with rapidly changing SSIDs in the same physical area",
      "detection strategy: Endpoint initiating active Wi-Fi scans at high frequency (every few seconds) without user interaction",
      "detection strategy: Processes calling Win32 Native WiFi API WlanScan function at regular intervals from non-network-management applications",
      "detection strategy: Probe request/response frames with data encoded in vendor-specific Information Elements (IEs)",
      "detection strategy: RF monitoring detecting beacon frames on unexpected channels or from unauthorized transmitters in controlled environments"
    ]
  },
  "AWS X-Ray": {
    "descriptionUrl": "doc/aws_xray.md",
    "c2Projects": [
      "https://github.com/RootUp/XRayC2"
    ],
    "detection": [
      "POST - url: https://xray.*.amazonaws.com/PutTraceSegments",
      "POST - url: https://xray.*.amazonaws.com/GetTraceSummaries",
      "POST - url: https://xray.*.amazonaws.com/BatchGetTraces",
      "GET - url: https://xray.*.amazonaws.com/GetServiceGraph",
      "detection strategy: Anomalous spikes in PutTraceSegments or GetTrace API calls from unexpected IAM principals or EC2 instances",
      "detection strategy: X-Ray trace segment annotations or metadata containing encoded command/response strings rather than legitimate telemetry data",
      "detection strategy: Non-instrumented applications (no X-Ray SDK) making direct X-Ray API calls via AWS SDK or raw HTTP requests",
      "detection strategy: X-Ray API calls from IAM roles or users not associated with application monitoring or observability teams",
      "detection strategy: CloudTrail events showing X-Ray API activity from principals that don't normally interact with tracing services",
      "detection strategy: Trace segments with unusually large metadata fields or annotations that exceed normal telemetry patterns",
      "detection blog: https://medium.com/@dhiraj_mishra/ghost-in-the-cloud-weaponizing-aws-x-ray-for-command-control-7539d60f1d77"
    ]
  },
  "Trello": {
    "descriptionUrl": "doc/trello.md",
    "c2Projects": [
      "https://github.com/gavz/TrelloC2"
    ],
    "detection": [
      "url: https://api.trello.com/1/*",
      "GET - url: https://api.trello.com/1/boards/*/cards",
      "POST - url: https://api.trello.com/1/cards",
      "PUT - url: https://api.trello.com/1/cards/*",
      "DELETE - url: https://api.trello.com/1/cards/*",
      "GET - url: https://api.trello.com/1/lists/*/cards",
      "url: https://trello.com/b/*/*.json",
      "detection strategy: Non-browser process making API calls to api.trello.com/1/ - especially from servers where Trello is not used",
      "detection strategy: Periodic polling of Trello board cards or lists at regular intervals indicating C2 command polling",
      "detection strategy: Trello API key and token pairs stored in scripts, configuration files, or binary strings on disk",
      "detection strategy: Cards created and rapidly deleted or updated on a Trello board from non-browser processes (command/response cycle)",
      "[APT29/BEATDROP] Trello API abused for C2 before the group switched to Notion (GraphicalNeutrino) in later campaigns",
      "[APT29/BEATDROP] User-Agent: Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) - early samples used iPad UA from Windows hosts",
      "[APT29/BEATDROP] Trello API requests with OAuth oauth_consumer_key in Authorization header from non-browser processes",
      "detection blog: https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns"
    ]
  },
  "Blockchain Smart Contracts": {
    "descriptionUrl": "doc/blockchain_smart_contracts.md",
    "c2Projects": [
      "https://github.com/SAAITAAMAA/EtherHiding",
      "https://github.com/geek-repo/C2-Blockchain",
      "https://github.com/xpn/BlockchainC2",
      "https://github.com/gnxbr/Unbreakable-Botnet-C2"
    ],
    "detection": [
      "POST - url: https://rpc.ankr.com/*",
      "POST - url: https://*-rpc.publicnode.com",
      "POST - url: https://ethereum-sepolia.publicnode.com",
      "POST - url: https://bsc-dataseed*.binance.org:8545",
      "POST - url: https://data-seed-prebsc-*-s*.binance.org:8545",
      "POST - url: https://polygon-rpc.com",
      "POST - url: https://rpc-mainnet.matic.network",
      "POST - url: https://cloudflare-eth.com",
      "POST - url: https://*.infura.io/v3/*",
      "POST - url: https://*.alchemy.com/v2/*",
      "websocket - url: wss://*.infura.io/ws/v3/*",
      "websocket - url: wss://*.infura.io/_ws",
      "websocket - url: wss://*-rpc.publicnode.com",
      "detection strategy: WebSocket (wss://) connections to blockchain RPC endpoints from non-browser/non-wallet processes - BlockchainC2 and C2-Blockchain both use WebSocket for real-time event subscriptions",
      "url: https://api.blockcypher.com/v1/ltc/main/addrs/*",
      "url: https://api.blockcypher.com/v1/btc/main/addrs/*",
      "url: https://api.blockcypher.com/v1/eth/main/addrs/*",
      "url: https://*.bscscan.com/api*",
      "url: https://*.etherscan.io/api*",
      "detection strategy: HTTP POST body containing \"method\":\"eth_call\" from non-browser/non-wallet processes - the core read operation used by EtherHiding to retrieve shellcode or C2 URLs from contract storage",
      "detection strategy: HTTP POST body containing \"method\":\"eth_getStorageAt\" - direct storage slot reads used by some variants to retrieve encoded payloads",
      "detection strategy: HTTP POST body with \"eth_call\" plus a \"to\" field (0x + 40 hex) and a \"data\" field with a 4-byte function selector (0x + 8 hex) - the exact structure of a smart contract view call",
      "detection strategy: HTTP POST or WebSocket frame containing \"method\":\"eth_sendTransaction\" from non-wallet processes - BlockchainC2 (xpn) and C2-Blockchain use transactions to emit C2 events on-chain",
      "detection strategy: HTTP POST or WebSocket frame containing \"method\":\"eth_sendRawTransaction\" from non-wallet processes - C2-Blockchain signs and sends raw transactions to call tovictim()/toattacker() functions",
      "detection strategy: HTTP POST body containing \"method\":\"eth_getTransactionCount\" from non-wallet processes - used by both event-based C2 frameworks to retrieve nonce before sending transactions",
      "detection strategy: WebSocket frame containing \"method\":\"eth_subscribe\" with \"params\":[\"logs\"] from non-wallet processes - BlockchainC2 (xpn) uses log subscriptions to receive C2 commands in real-time",
      "detection strategy: HTTP POST body containing \"method\":\"eth_newFilter\" followed by repeated \"eth_getFilterChanges\" calls - C2-Blockchain (Python) polls for new contract events using this pattern",
      "detection strategy: HTTP POST body containing \"method\":\"eth_getTransactionByHash\" after receiving event logs - both event-based C2s decode command data from transaction inputs",
      "detection strategy: JSON-RPC eth_call responses where the \"result\" hex field decodes to URLs, IP addresses, base64 strings, or executable shellcode bytes",
      "detection strategy: Multi-stage decode chain after RPC response: hex-decode followed by base64-decode followed by eval()/Function()/Execute() - signature of EtherHiding payload delivery in browser",
      "detection strategy: AES-encrypted blobs in eth_call responses paired with hardcoded AES keys in the calling binary or script (SharkStealer, OCRFix pattern)",
      "detection strategy: Injected <script> tags loading ethers.min.js or web3.min.js from CDNs (jsdelivr, cdnjs, unpkg) on websites that are not Web3 applications",
      "detection strategy: JavaScript calling new ethers.Contract() or new ethers.JsonRpcProvider() in page context of non-Web3 sites - CLEARFAKE/EtherHiding browser entry point",
      "detection strategy: [EtherHiding] Process calls VirtualAlloc with PAGE_EXECUTE_READWRITE (RWX) after making HTTP requests to blockchain RPC endpoints - the shellcode is fetched via eth_call then written to executable memory and called as a function pointer",
      "detection strategy: [EtherHiding] Rust binary importing both web3 crate and winapi memoryapi (VirtualAlloc/VirtualProtect) - the exact dependency combination used by the EtherHiding POC",
      "detection strategy: [BlockchainC2] Go binary importing github.com/ethereum/go-ethereum packages (ethclient, bind, common) that is not a blockchain development tool - the go-ethereum library is the backbone of xpn's BlockchainC2",
      "detection strategy: [C2-Blockchain] Python process importing web3 library and calling subprocess.getoutput() or os.popen() - the generated virus.py executes commands received from blockchain events",
      "detection strategy: [Unbreakable-Botnet] HTTP GET to api.blockcypher.com/v1/ltc/main/addrs/ followed by outbound IRC connection (port 6667 or 6697) - the bot decodes a C2 IP address from Litecoin transaction values then connects via IRC",
      "detection strategy: [Unbreakable-Botnet] Litecoin/Bitcoin transaction value 31337 satoshis used as sentinel marker - subsequent transaction values are concatenated to form the C2 server IP address",
      "detection strategy: Non-browser/non-wallet process making HTTP POST or WebSocket connections to known blockchain RPC endpoints - strongest signal in enterprise environments without legitimate Web3 usage",
      "detection strategy: Hardcoded smart contract addresses (0x + 40 hex chars) in binary strings, scripts, or config files that are not part of legitimate Web3 applications",
      "detection strategy: Hardcoded RPC endpoint URLs (rpc.ankr.com, cloudflare-eth.com, infura.io, publicnode.com) or blockchain API URLs (api.blockcypher.com) in binaries/scripts not associated with blockchain development",
      "detection strategy: Hardcoded cryptocurrency wallet addresses (Litecoin ltc1/LTC, Bitcoin bc1/1/3, Ethereum 0x) in non-financial binaries, especially when adjacent to network connection code",
      "detection strategy: YARA rule - AES key bytes adjacent to contract address bytes (0x prefix + 40 hex) or RPC endpoint strings in non-Web3 PE/ELF binaries",
      "detection strategy: Repeated eth_call requests to the same contract address at regular intervals from the same host - C2 command polling pattern via smart contract storage",
      "detection strategy: Repeated eth_getFilterChanges requests at regular intervals - event-based C2 polling pattern used by C2-Blockchain",
      "detection strategy: Any connection to testnet RPC endpoints (ethereum-sepolia.publicnode.com, data-seed-prebsc-*, sepolia.*, goerli.*, ropsten.*) from production enterprise systems - testnet usage is anomalous outside development environments",
      "detection strategy: In environments with no legitimate Web3 usage, ANY outbound traffic to known blockchain RPC domains or blockchain explorer APIs is a high-confidence signal",
      "[EtherHiding POC] contract: 0xD57c5867BbD350B97cff9FAd9569089a0Af2EC1d on Ethereum Sepolia, function: getShellcode() returns raw shellcode bytes",
      "[Smargaft] contract: 0xdf2208d4902aa1ec9a0957132ca86a4e1d40455b on BSC mainnet, function selector: 0xd7ec3ad7",
      "[CLEARFAKE/UNC5142] contract: 0xA1decFB75C8C0CA28C10517ce56B710baf727d2e on BSC (stage 1 anchor)",
      "[CLEARFAKE/UNC5142] contract: 0x46790e2Ac7F3CA5a7D1bfCe312d11E91d23383Ff on BSC (Windows payload)",
      "[CLEARFAKE/UNC5142] contract: 0x68DcE15C1002a2689E19D33A3aE509DD1fEb11A5 on BSC (macOS payload)",
      "[UNC5342/DPRK] contract: 0x8eac3198dd72f3e07108c4c7cff43108ad48a71c on BSC (JADESNOW stage)",
      "[Unbreakable-Botnet] Litecoin address: ltc1ql7dlh7f05dufsd5dpjucu3rz0cdezkqtxrngqj used as Dead Drop Resolver with 31337 satoshi sentinel",
      "[SharkStealer] AES-encrypted C2 URL stored in BSC Testnet contract, decrypted client-side with hardcoded key",
      "[OCRFix] C2 URL in BSC Testnet contract, rotated 5 times in 10 days via single blockchain transactions",
      "[Aeternum] Commands in Polygon smart contract annotations, approximately $1 MATIC funds 100+ command transactions",
      "[Glupteba] Bitcoin blockchain transactions used as backup Dead Drop Resolver for C2 addresses",
      "detection blog: https://qrator.net/blog/details/Exploring-Aeternum-C2/",
      "detection blog: https://blog.xlab.qianxin.com/smargaft_abusing_binance-smart-contracts_en/",
      "detection blog: https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding",
      "detection blog: https://censys.com/blog/etherhiding-fake-captchas-click-fix-lures-blockchain-backed-payload-delivery",
      "detection blog: https://asec.ahnlab.com/en/88009/",
      "detection blog: https://blog.xpnsec.com/ethereum-c2/"
    ]
  }
}