Query Details

Telegraminfostealers

Query

Tags:

Query:
DeviceNetworkEvents
| where RemoteUrl contains "api.telegram.org"
| where InitiatingProcessFileName !in ("chrome.exe","Telegram.exe","firefox.exe","msedge.exe","slack.exe","OUTLOOK.EXE","brave.exe","Postman.exe")
| where InitiatingProcessVersionInfoFileDescription != @"Opera Internet Browser"
| where InitiatingProcessFileName != @"Google Chrome Helper"
| where InitiatingProcessFileName != @"Opera Helper"
| where InitiatingProcessFileName != @"com.apple.WebKit.Networking"

Rferences:

Explanation

This query is searching through network event data to find instances where a device has connected to the Telegram API (specifically, any URL containing "api.telegram.org"). However, it filters out connections initiated by common web browsers and applications such as Chrome, Firefox, Edge, Slack, Outlook, Brave, Postman, and Opera. Additionally, it excludes connections initiated by certain helper processes associated with Google Chrome, Opera, and Apple's WebKit Networking. Essentially, the query is looking for unusual or unexpected processes that are accessing the Telegram API, which might indicate suspicious activity.

Details

Ali Hussein profile picture

Ali Hussein

Released: December 4, 2023

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents

Operators

DeviceNetworkEventswherecontains!in!=

Actions

GitHub