LoFP / false positive may stem from application or users requesting the api directly via commandline for testing purposes. investigate the matches and apply the necessary filters.

Techniques

• T1041
• T1102.002

Sample rules

Potential Telegram API Request Via CommandLine

• source: splunk
• technicques:
  • T1102.002
  • T1041

Description

The following analytic detects the presence of “api.telegram.org” in the CommandLine of a process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity can be significant as the telegram API has been used as an exfiltration mechanism or even as a C2 channel. If confirmed malicious, this could allow an attacker or malware to exfiltrate data or receive additional C2 instruction, potentially leading to further compromise and persistence within the network.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process= "*api.telegram.org*" NOT Processes.process IN ("*-osint -url*", "* --single-argument*") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_id Processes.process_name Processes.process Processes.process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `potential_telegram_api_request_via_commandline_filter`