Query Details

Threat Hunting for telegram as a Commmand & Control channel

Behavior Telegram C2

Query

DeviceNetworkEvents
| where RemoteUrl contains "api.telegram.org"
| project 
    Timestamp,
    DeviceName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessAccountName,
    InitiatingProcessAccountDomain

About this query

Explanation

This query is designed for threat hunting to identify potential misuse of Telegram as a Command & Control (C2) channel by attackers. It focuses on detecting network events where the remote URL contains "api.telegram.org," which is the API endpoint for Telegram. This could indicate that a device is communicating with Telegram's API, possibly for malicious purposes such as data exfiltration or command and control activities.

The query extracts specific details from these network events, including:

  • Timestamp/TimeGenerated: When the event occurred.
  • DeviceName: The name of the device involved in the communication.
  • InitiatingProcessFileName: The name of the process that initiated the communication.
  • InitiatingProcessCommandLine: The command line details of the initiating process.
  • InitiatingProcessAccountName: The account name under which the process was running.
  • InitiatingProcessAccountDomain: The domain of the account under which the process was running.

By analyzing these details, security analysts can investigate whether the communication with Telegram's API is legitimate or potentially malicious, helping to identify and mitigate threats that disguise themselves as normal Telegram traffic.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteUrlTimestampNameInitiatingProcessFileCommandLineAccountDomainTimeGenerated

Operators

DeviceNetworkEventswherecontainsproject

MITRE Techniques

Actions

GitHub