Threat Hunting for telegram as a Commmand & Control channel
Behavior Telegram C2
Query
DeviceNetworkEvents
| where RemoteUrl contains "api.telegram.org"
| project
Timestamp,
DeviceName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountName,
InitiatingProcessAccountDomainAbout this query
Explanation
This query is designed for threat hunting to identify potential misuse of Telegram as a Command & Control (C2) channel by attackers. It focuses on detecting network events where the remote URL contains "api.telegram.org," which is the API endpoint for Telegram. This could indicate that a device is communicating with Telegram's API, possibly for malicious purposes such as data exfiltration or command and control activities.
The query extracts specific details from these network events, including:
- Timestamp/TimeGenerated: When the event occurred.
- DeviceName: The name of the device involved in the communication.
- InitiatingProcessFileName: The name of the process that initiated the communication.
- InitiatingProcessCommandLine: The command line details of the initiating process.
- InitiatingProcessAccountName: The account name under which the process was running.
- InitiatingProcessAccountDomain: The domain of the account under which the process was running.
By analyzing these details, security analysts can investigate whether the communication with Telegram's API is legitimate or potentially malicious, helping to identify and mitigate threats that disguise themselves as normal Telegram traffic.
