Suspicious Non-Browser Network Communication With Telegram API
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "sa_network_connection" AND DESTINATIONHOST contains "api.telegram.org" AND (PROCESSNAME notendswith "\brave.exe" AND PROCESSNAME != "C:\Program Files\Google\Chrome\Application\chrome.exe,C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" AND PROCESSNAME != "C:\Program Files\Mozilla Firefox\firefox.exe,C:\Program Files (x86)\Mozilla Firefox\firefox.exe" AND PROCESSNAME != "C:\Program Files (x86)\Internet Explorer\iexplore.exe,C:\Program Files\Internet Explorer\iexplore.exe" AND PROCESSNAME notendswith "\maxthon.exe" AND (PROCESSNAME notstartswith "C:\Program Files (x86)\Microsoft\EdgeWebView\Application" AND PROCESSNAME notendswith "\WindowsApps\MicrosoftEdge.exe" AND PROCESSNAME != "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,C:\Program Files\Microsoft\Edge\Application\msedge.exe") AND (PROCESSNAME notstartswith "C:\Program Files (x86)\Microsoft\EdgeCore\,C:\Program Files\Microsoft\EdgeCore" OR PROCESSNAME notendswith "\msedge.exe,\msedgewebview2.exe") AND PROCESSNAME notendswith "\opera.exe" AND PROCESSNAME notendswith "\safari.exe" AND PROCESSNAME notendswith "\seamonkey.exe" AND PROCESSNAME notendswith "\vivaldi.exe" AND PROCESSNAME notendswith "\whale.exe") select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.PROCESSNAME,Action1.DESTINATIONHOST,Action1.DESTINATION_IPV6,Action1.DEST_IP,Action1.SOURCEHOST,Action1.SOURCE_IP,Action1.SOURCE_IPV6
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Nasreddine Bencherchali (Nextron Systems)
