Suspicious Non-Browser Network Communication With Telegram API

Rule Info

Tags
attack.command_and_control DEMO attack.t1102
Name
Suspicious Non-Browser Network Communication With Telegram API
Id
c3dbbc9f-ef1d-470a-a90a-d343448d5875
Date
2023-05-19 00:00:00
Modified
None
Description
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
Reference
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
Author
Nasreddine Bencherchali (Nextron Systems)
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c3dbbc9f-ef1d-470a-a90a-d343448d5875

Rule History

Title
Author
Commit
Date
feat: add new rules related to small sieve
Nasreddine Bencherchali
7b662b7c3
2023-05-19
fix: filter names and title
Nasreddine Bencherchali
231c2ecca
2023-05-09
fix: single list element
Nasreddine Bencherchali
91daec6d3
2023-05-09
fix: metadata update
Nasreddine Bencherchali
3767682f1
2023-05-09
Update net_connection_win_notion.yaml
Gavin Knapp
063bb57df
2023-05-04
Rename net_connection_win_notion.yml to net_connection_win_notion.yaml
Gavin Knapp
c11b69b8f
2023-05-04
Create net_connection_win_notion.yml
Gavin Knapp
401d71d9d
2023-05-03
fix: update hostname field
Nasreddine Bencherchali
08e3089c6
2023-04-19
feat: update browsers selections and filters
Nasreddine Bencherchali
4e7bb74d4
2023-04-18
New rules added for LockBit and Reddit used for C2. (#4045)
m4nbat
ae469ddef
2023-02-20
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022