Sigma rules · CVE-2021-31321

Home/CVE-2021-31321/Sigma rules

Sigma

Sigma rules for CVE-2021-31321

3 rules · scoped to cve · back to CVE-2021-31321

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

3 of 3

direct medium

Telegram Bot API Request

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

status test author Florian Roth (Nextron Systems) id c64c5175-5189-431b-a55e-6d9882158251 license Sigma · DRL-1.1

view Sigma YAML

title: Telegram Bot API Request
id: c64c5175-5189-431b-a55e-6d9882158251
status: test
description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
references:
    - https://core.telegram.org/bots/faq
    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2022-10-09
tags:
    - attack.command-and-control
    - attack.t1102.002
logsource:
    category: dns
detection:
    selection:
        query: 'api.telegram.org'   # Telegram Bot API Request https://core.telegram.org/bots/faq
    condition: selection
falsepositives:
    - Legitimate use of Telegram bots in the company
level: medium

direct medium

Suspicious Non-Browser Network Communication With Telegram API

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2

status test author Nasreddine Bencherchali (Nextron Systems) id c3dbbc9f-ef1d-470a-a90a-d343448d5875 license Sigma · DRL-1.1

view Sigma YAML

title: Suspicious Non-Browser Network Communication With Telegram API
id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
status: test
description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
    - attack.command-and-control
    - attack.exfiltration
    - attack.t1102
    - attack.t1567
    - attack.t1105
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'api.telegram.org'
    # Other browsers or apps known to use telegram should be added
    # TODO: Add full paths for default install locations
    filter_main_brave:
        Image|endswith: '\brave.exe'
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_main_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_main_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_main_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_main_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_opera:
        Image|endswith: '\opera.exe'
    filter_main_safari:
        Image|endswith: '\safari.exe'
    filter_main_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_main_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_main_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS  etc.
level: medium

direct medium

Telegram API Access

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

status test author Florian Roth (Nextron Systems) id b494b165-6634-483d-8c47-2026a6c52372 license Sigma · DRL-1.1

view Sigma YAML

title: Telegram API Access
id: b494b165-6634-483d-8c47-2026a6c52372
status: test
description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
references:
    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2023-05-18
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1102.002
logsource:
    category: proxy
detection:
    selection:
        cs-host: 'api.telegram.org' # Often used by Bots
    filter:
        c-useragent|contains:
            # Used https://core.telegram.org/bots/samples for this list
            - 'Telegram'
            - 'Bot'
    condition: selection and not filter
falsepositives:
    - Legitimate use of Telegram bots in the company
level: medium

Showing 1-3 of 3

Prev 1 Next