detection.wiki

Detection rules › Sigma

Suspicious Non-Browser Network Communication With Telegram API

Status
test
Severity
medium
Log source
product windows, category network_connection
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1102 Web Service, T1105 Ingress Tool Transfer
ExfiltrationT1567 Exfiltration Over Web Service

Event coverage

ProviderEventTitle
SysmonEvent ID 3Network connection

Rule body yaml

title: Suspicious Non-Browser Network Communication With Telegram API
id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
status: test
description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
    - attack.command-and-control
    - attack.exfiltration
    - attack.t1102
    - attack.t1567
    - attack.t1105
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'api.telegram.org'
    # Other browsers or apps known to use telegram should be added
    # TODO: Add full paths for default install locations
    filter_main_brave:
        Image|endswith: '\brave.exe'
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_main_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_main_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_main_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_main_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_opera:
        Image|endswith: '\opera.exe'
    filter_main_safari:
        Image|endswith: '\safari.exe'
    filter_main_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_main_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_main_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS  etc.
level: medium

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_main_*

Stage 1: selection

selection:
    DestinationHostname|contains: 'api.telegram.org'

Stage 2: not filter_main_*

filter_main_brave:
    Image|endswith: '\brave.exe'
filter_main_chrome:
    Image:
        - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
        - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_main_firefox:
    Image:
        - 'C:\Program Files\Mozilla Firefox\firefox.exe'
        - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_main_ie:
    Image:
        - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
        - 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_main_maxthon:
    Image|endswith: '\maxthon.exe'
filter_main_edge_1:
    - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
    - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
    - Image:
          - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
          - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_main_edge_2:
    Image|startswith:
        - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
        - 'C:\Program Files\Microsoft\EdgeCore\'
    Image|endswith:
        - '\msedge.exe'
        - '\msedgewebview2.exe'
filter_main_opera:
    Image|endswith: '\opera.exe'
filter_main_safari:
    Image|endswith: '\safari.exe'
filter_main_seamonkey:
    Image|endswith: '\seamonkey.exe'
filter_main_vivaldi:
    Image|endswith: '\vivaldi.exe'
filter_main_whale:
    Image|endswith: '\whale.exe'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
Imageends_with\msedge.exe
Imageends_with\msedgewebview2.exe
Imagestarts_withC:\Program Files (x86)\Microsoft\EdgeCore\
Imagestarts_withC:\Program Files\Microsoft\EdgeCore\
Imageends_with\WindowsApps\MicrosoftEdge.exe
Imageends_with\brave.exe
Imageends_with\maxthon.exe
Imageends_with\opera.exe
Imageends_with\safari.exe
Imageends_with\seamonkey.exe
Imageends_with\vivaldi.exe
Imageends_with\whale.exe
ImageeqC:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ImageeqC:\Program Files (x86)\Internet Explorer\iexplore.exe
ImageeqC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
ImageeqC:\Program Files (x86)\Mozilla Firefox\firefox.exe
ImageeqC:\Program Files\Google\Chrome\Application\chrome.exe
ImageeqC:\Program Files\Internet Explorer\iexplore.exe
ImageeqC:\Program Files\Microsoft\Edge\Application\msedge.exe
ImageeqC:\Program Files\Mozilla Firefox\firefox.exe
Imagestarts_withC:\Program Files (x86)\Microsoft\EdgeWebView\Application\

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
DestinationHostnamematch
  • api.telegram.org