Suspicious Non-Browser Network Communication With Telegram API
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
Sigma rule (View on GitHub)
1title: Suspicious Non-Browser Network Communication With Telegram API
2id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
3status: test
4description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-19
9tags:
10 - attack.command-and-control
11 - attack.t1102
12logsource:
13 product: windows
14 category: network_connection
15detection:
16 selection:
17 DestinationHostname|contains: 'api.telegram.org'
18 # Other browsers or apps known to use telegram should be added
19 # TODO: Add full paths for default install locations
20 filter_main_brave:
21 Image|endswith: '\brave.exe'
22 filter_main_chrome:
23 Image:
24 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
25 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
26 filter_main_firefox:
27 Image:
28 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
29 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
30 filter_main_ie:
31 Image:
32 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
33 - 'C:\Program Files\Internet Explorer\iexplore.exe'
34 filter_main_maxthon:
35 Image|endswith: '\maxthon.exe'
36 filter_main_edge_1:
37 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
38 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
39 - Image:
40 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
41 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
42 filter_main_edge_2:
43 Image|startswith:
44 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
45 - 'C:\Program Files\Microsoft\EdgeCore\'
46 Image|endswith:
47 - '\msedge.exe'
48 - '\msedgewebview2.exe'
49 filter_main_opera:
50 Image|endswith: '\opera.exe'
51 filter_main_safari:
52 Image|endswith: '\safari.exe'
53 filter_main_seamonkey:
54 Image|endswith: '\seamonkey.exe'
55 filter_main_vivaldi:
56 Image|endswith: '\vivaldi.exe'
57 filter_main_whale:
58 Image|endswith: '\whale.exe'
59 condition: selection and not 1 of filter_main_*
60falsepositives:
61 - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc.
62level: medium
References
Related rules
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux