Suspicious Non-Browser Network Communication With Telegram API

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2

Sigma rule (View on GitHub)

 1title: Suspicious Non-Browser Network Communication With Telegram API
 2id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
 3status: test
 4description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
 5references:
 6    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-19
 9tags:
10    - attack.command-and-control
11    - attack.t1102
12logsource:
13    product: windows
14    category: network_connection
15detection:
16    selection:
17        DestinationHostname|contains: 'api.telegram.org'
18    # Other browsers or apps known to use telegram should be added
19    # TODO: Add full paths for default install locations
20    filter_main_brave:
21        Image|endswith: '\brave.exe'
22    filter_main_chrome:
23        Image:
24            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
25            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
26    filter_main_firefox:
27        Image:
28            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
29            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
30    filter_main_ie:
31        Image:
32            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
33            - 'C:\Program Files\Internet Explorer\iexplore.exe'
34    filter_main_maxthon:
35        Image|endswith: '\maxthon.exe'
36    filter_main_edge_1:
37        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
38        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
39        - Image:
40              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
41              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
42    filter_main_edge_2:
43        Image|startswith:
44            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
45            - 'C:\Program Files\Microsoft\EdgeCore\'
46        Image|endswith:
47            - '\msedge.exe'
48            - '\msedgewebview2.exe'
49    filter_main_opera:
50        Image|endswith: '\opera.exe'
51    filter_main_safari:
52        Image|endswith: '\safari.exe'
53    filter_main_seamonkey:
54        Image|endswith: '\seamonkey.exe'
55    filter_main_vivaldi:
56        Image|endswith: '\vivaldi.exe'
57    filter_main_whale:
58        Image|endswith: '\whale.exe'
59    condition: selection and not 1 of filter_main_*
60falsepositives:
61    - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS  etc.
62level: medium

References

Related rules

to-top