Google Docs becomes Google SOCKS: C2 Over Google Drive
Summary
This article discusses a technique where Google Docs can be leveraged for command and control (C2) communications, essentially turning Google Drive into a covert channel. Attackers can use this method to exfiltrate data and maintain persistence, making it difficult to detect due to the common use of Google services.
IFF Assessment
This technique allows attackers to blend in with legitimate network traffic, making detection and mitigation more challenging for defenders.
Defender Context
Defenders should be aware of covert C2 channels that masquerade as legitimate cloud service traffic. Network monitoring should focus on unusual patterns of activity within cloud storage services, such as unexpected file uploads/downloads or API calls, even if the services themselves are trusted.