Query Details

New Information Stealer Sams Stealer By CYFIRMA

Query

// New Information Stealer - SamsStealer (By CYFIRMA)
// https://www.linkedin.com/posts/activity-7198215669711052801-kQSk/

// SamsStealer: Unveiling the Information Stealer Targeting Windows Systems
// Link: https://lnkd.in/gF949sei

let WebTelegramPC =
DeviceNetworkEvents 
| where ActionType == @"HttpConnectionInspected"
| extend ConnectInfo = todynamic(AdditionalFields)
| extend HttpHost = ConnectInfo.host
| where HttpHost contains "web.telegram.org"
| distinct DeviceName;
DeviceEvents
| where DeviceName has_any(WebTelegramPC)
| where MD5=="83f94302ae92909bc3b2834a5342d4a5" or MD5=="824e149b9c2bdd5dbe37f472533230af"
or MD5=="1f913f8d71f0f4d65858b5ba0ea94a9c" or MD5=="56acc1496d8e5bbc0e412c683971b809"
or MD5=="631eacb4519fd49048491c9b5ec6bda5" or MD5=="64410e06f80e75b6503e5525c323243b"
or MD5=="7d63047a48fa8984f11544149c2f0e70" or MD5=="da493648ca3b8fd9dbad7bbca659b796"
or MD5=="02fe599ed41cc4bd54a1d6a3cc2d830a" or MD5=="cb95c77750732c0a4dd29c1d4feb6f69"
or MD5=="11751f8d847764936b7bf014302da87f" or MD5=="31c73ad35b23e4d98ed974e604b85e00"

// MITRE ATT&CK Mapping

//The KQL query is designed to detect devices connecting to Telegram Web and then filter events based on specific MD5 hashes, which could indicate the presence of known malicious files. The associated MITRE ATT&CK techniques include:

// T1071.001: Application Layer Protocol - Web Protocols
// T1027: Obfuscated Files or Information
// T1036.005: Masquerading - Match Legitimate Name or Location
// T1070.004: Indicator Removal on Host - File Deletion

Explanation

This KQL query is designed to identify potential security threats on Windows systems by focusing on two main aspects:

  1. Detecting Connections to Telegram Web: The query first identifies devices that have connected to the Telegram Web application by inspecting network events. It filters these events to find connections specifically to "web.telegram.org" and collects a list of device names that have made such connections.

  2. Filtering for Known Malicious Files: The query then checks for any events on these devices that involve files with specific MD5 hash values. These hash values are known to be associated with malicious files, potentially indicating the presence of a threat on the device.

The query is associated with certain MITRE ATT&CK techniques, which are frameworks used to describe common tactics and techniques used by attackers:

  • T1071.001: Use of web protocols for communication, which could be used by malware to exfiltrate data or communicate with command and control servers.
  • T1027: Use of obfuscated files or information to hide malicious activity.
  • T1036.005: Masquerading by using legitimate names or locations to avoid detection.
  • T1070.004: Removal of indicators on the host, such as deleting files to cover tracks.

In summary, this query helps in identifying suspicious activities related to Telegram Web connections and the presence of known malicious files on devices, which could indicate a security breach or malware infection.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceNetworkEventsDeviceEvents

Keywords

DeviceNetworkEvents

Operators

let|where==@extendtodynamic()containsdistincthas_anyor

Actions

GitHub