🐾 - 🚨 Suspicious TLSv1.3 connection from 🪟 Windows 11 to Telegram 💬 - Possible info-stealing operation - Suricata Rule 3301132 (pawpatrules)

🐾 - 🚨 Suspicious TLSv1.3 connection from 🪟 Windows 11 to Telegram 💬 - Possible info-stealing operation

SID: 3301132Rev: 266 views

Sourcepawpatrules

CreatedFebruary 17, 2024

UpdatedFebruary 17, 2024

Classificationcredential-theft

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious TLSv1.3 connection from 🪟 Windows 11 to Telegram 💬 - Possible info-stealing operation"; flow:to_server, stateless; ja3.hash; content:"3c293bdf2a25c07559b560ba86debc77"; fast_pattern; tls_sni; content:"t.me"; nocase; endswith; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, former_category MALWARE, created_at 2024_02_17, updated_at 2024_02_17; sid:3301132; rev:2; classtype:credential-theft;)

Metadata

attack targetClient_and_Server

signature severityMajor

affected productWindows_11_Server_32_64_Bit

mitre tactic idTA0006

mitre tactic nameCredential_Access

former categoryMALWARE

created at2024_02_17

updated at2024_02_17

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!