| ID | Technique | Tactic |
|---|---|---|
| T1102.002 | Bidirectional Communication | Command And Control |
| T1071.004 | DNS | Command And Control |
| T1071 | Application Layer Protocol | Command And Control |
| T1102 | Web Service | Command And Control |
Detection: Windows DNS Query Request by Telegram Bot API
Description
The following analytic detects the execution of a DNS query by a process to the associated Telegram API domain, which could indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By monitoring DNS queries related to Telegram's infrastructure, the detection identifies potential attempts to establish covert communication channels between a compromised system and external malicious actors. This behavior is often observed in cyberattacks where Telegram bots are used to receive commands or exfiltrate data, making it a key indicator of suspicious or malicious activity within a network.
Search
1`sysmon` EventCode=22 query = "api.telegram.org" process_name != "telegram.exe"
2| stats count min(_time) as firstTime max(_time) as lastTime by query answer QueryResults QueryStatus process_name process_guid Computer
3| rename Computer as dest
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `windows_dns_query_request_by_telegram_bot_api_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 22 |  Windows |
'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_dns_query_request_by_telegram_bot_api_filter | search * |
windows_dns_query_request_by_telegram_bot_api_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
DE.AE
CIS 10
APT12
APT28
APT37
APT39
Carbanak
FIN7
HEXANE
Kimsuky
Lazarus Group
Magic Hound
MuddyWater
POLONIUM
Sandworm Team
Turla
ZIRCONIUM
APT18
APT39
APT41
Chimera
Cobalt Group
Ember Bear
FIN7
Ke3chang
LazyScripter
OilRig
Tropic Trooper
INC Ransom
Magic Hound
Rocke
TeamTNT
APT32
EXOTIC LILY
FIN6
FIN8
Fox Kitten
Gamaredon Group
Inception
LazyScripter
Mustang Panda
RedCurl
Rocke
TeamTNT
Turla
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
Known False Positives
a third part automation using telegram API.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
DNS query by a telegram bot [$query$] on [$dest$].
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 36 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1