Detection rules › Splunk
Download Files Using Telegram
The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1105 Ingress Tool Transfer |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 15 | FileCreateStreamHash |
Stages and Predicates
Stage 1: search
search EventCode=15 TargetFilename="*:Zone.Identifier" process_name="telegram.exe"
Stage 2: stats
stats BY dest, dvc, file_hash, file_name, file_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product, Contents, Image
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
TargetFilename | eq |
|
process_name | eq |
|