Suspicious Non-Browser Network Communication With Telegram API

Hunt Hypothesis

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2

Detection Rule

Sigma (Original)

title: Suspicious Non-Browser Network Communication With Telegram API
id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
status: test
description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
    - attack.command-and-control
    - attack.exfiltration
    - attack.t1102
    - attack.t1567
    - attack.t1105
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'api.telegram.org'
    # Other browsers or apps known to use telegram should be added
    # TODO: Add full paths for default install locations
    filter_main_brave:
        Image|endswith: '\brave.exe'
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_main_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_main_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_main_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_main_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_opera:
        Image|endswith: '\opera.exe'
    filter_main_safari:
        Image|endswith: '\safari.exe'
    filter_main_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_main_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_main_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS  etc.
level: medium

KQL (Azure Sentinel)

imNetworkSession
| where DstHostname contains "api.telegram.org" and (not(((SrcProcessName endswith "\\brave.exe" or DstProcessName endswith "\\brave.exe") or ((SrcProcessName in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (DstProcessName in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"))) or ((SrcProcessName in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (DstProcessName in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"))) or ((SrcProcessName in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (DstProcessName in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe"))) or (SrcProcessName endswith "\\maxthon.exe" or DstProcessName endswith "\\maxthon.exe") or ((SrcProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or DstProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\") or (SrcProcessName endswith "\\WindowsApps\\MicrosoftEdge.exe" or DstProcessName endswith "\\WindowsApps\\MicrosoftEdge.exe") or ((SrcProcessName in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe")) or (DstProcessName in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe")))) or (((SrcProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or SrcProcessName startswith "C:\\Program Files\\Microsoft\\EdgeCore\\") or (DstProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or DstProcessName startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) and ((SrcProcessName endswith "\\msedge.exe" or SrcProcessName endswith "\\msedgewebview2.exe") or (DstProcessName endswith "\\msedge.exe" or DstProcessName endswith "\\msedgewebview2.exe"))) or (SrcProcessName endswith "\\opera.exe" or DstProcessName endswith "\\opera.exe") or (SrcProcessName endswith "\\safari.exe" or DstProcessName endswith "\\safari.exe") or (SrcProcessName endswith "\\seamonkey.exe" or DstProcessName endswith "\\seamonkey.exe") or (SrcProcessName endswith "\\vivaldi.exe" or DstProcessName endswith "\\vivaldi.exe") or (SrcProcessName endswith "\\whale.exe" or DstProcessName endswith "\\whale.exe"))))

Required Data Sources

False Positive Guidance

• Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc.

MITRE ATT&CK Context

• Tactic: Command and Control
• Tactic: Exfiltration
• Technique: T1102 — T1102
• Technique: T1567 — T1567
• Technique: T1105 — T1105

References

• https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
• SigmaHQ Rule