legitimate applications communicating with the telegram api e.g. web browsers not in the exclusion list, app with an rss etc.

Techniques

t1102

Sample rules

Suspicious Non-Browser Network Communication With Telegram API

source: sigma
technicques:
- t1102

Description

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_brave:
  Image|endswith: \brave.exe
filter_main_chrome:
  Image:
  - C:\Program Files\Google\Chrome\Application\chrome.exe
  - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
filter_main_edge_1:
- Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\
- Image|endswith: \WindowsApps\MicrosoftEdge.exe
- Image:
  - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  - C:\Program Files\Microsoft\Edge\Application\msedge.exe
filter_main_edge_2:
  Image|endswith:
  - \msedge.exe
  - \msedgewebview2.exe
  Image|startswith:
  - C:\Program Files (x86)\Microsoft\EdgeCore\
  - C:\Program Files\Microsoft\EdgeCore\
filter_main_firefox:
  Image:
  - C:\Program Files\Mozilla Firefox\firefox.exe
  - C:\Program Files (x86)\Mozilla Firefox\firefox.exe
filter_main_ie:
  Image:
  - C:\Program Files (x86)\Internet Explorer\iexplore.exe
  - C:\Program Files\Internet Explorer\iexplore.exe
filter_main_maxthon:
  Image|endswith: \maxthon.exe
filter_main_opera:
  Image|endswith: \opera.exe
filter_main_safari:
  Image|endswith: \safari.exe
filter_main_seamonkey:
  Image|endswith: \seamonkey.exe
filter_main_vivaldi:
  Image|endswith: \vivaldi.exe
filter_main_whale:
  Image|endswith: \whale.exe
selection:
  DestinationHostname|contains: api.telegram.org