splApache-2.0from splunk/security_content
Download Files Using Telegram
The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/download_files_using_telegram.yml
`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier"
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest dvc file_hash
file_name file_path process_exec
process_guid process_id process_name
process_path signature signature_id
user_id vendor_product Contents
Image
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `download_files_using_telegram_filter`