Suspicious Non-Browser Network Communication With Telegram API

 1title: Suspicious Non-Browser Network Communication With Telegram API
 2id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
 3status: test
 4description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-19
 9tags:
10    - attack.command-and-control
11    - attack.exfiltration
12    - attack.t1102
13    - attack.t1567
14    - attack.t1105
15logsource:
16    product: windows
17    category: network_connection
18detection:
19    selection:
20        DestinationHostname|contains: 'api.telegram.org'
21    # Other browsers or apps known to use telegram should be added
22    # TODO: Add full paths for default install locations
23    filter_main_brave:
24        Image|endswith: '\brave.exe'
25    filter_main_chrome:
26        Image:
27            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
28            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
29    filter_main_firefox:
30        Image:
31            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
32            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
33    filter_main_ie:
34        Image:
35            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
36            - 'C:\Program Files\Internet Explorer\iexplore.exe'
37    filter_main_maxthon:
38        Image|endswith: '\maxthon.exe'
39    filter_main_edge_1:
40        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
41        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
42        - Image:
43              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
44              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
45    filter_main_edge_2:
46        Image|startswith:
47            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
48            - 'C:\Program Files\Microsoft\EdgeCore\'
49        Image|endswith:
50            - '\msedge.exe'
51            - '\msedgewebview2.exe'
52    filter_main_opera:
53        Image|endswith: '\opera.exe'
54    filter_main_safari:
55        Image|endswith: '\safari.exe'
56    filter_main_seamonkey:
57        Image|endswith: '\seamonkey.exe'
58    filter_main_vivaldi:
59        Image|endswith: '\vivaldi.exe'
60    filter_main_whale:
61        Image|endswith: '\whale.exe'
62    condition: selection and not 1 of filter_main_*
63falsepositives:
64    - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS  etc.
65level: medium