🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - TLSv1.3 connection to Telegram API - Possible Exfiltration Over Web Service - 🚱 T1567 - Suricata Rule 3321292 (pawpatrules)

🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - TLSv1.3 connection to Telegram API - Possible Exfiltration Over Web Service - 🚱 T1567

SID: 3321292Rev: 1220 views

Sourcepawpatrules

CreatedJuly 13, 2024

UpdatedJuly 14, 2024

Classificationtrojan-activity

alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - TLSv1.3 connection to Telegram API - Possible Exfiltration Over Web Service - 🚱 T1567"; flow:to_server, stateless; ja3.hash; content:"3c4eb72b882d4d1442c67ce73f1292a9"; fast_pattern; tls_sni; content:"t.me"; startswith; endswith; nocase; metadata:former_category JA3; target:src_ip; metadata:attack_target Client_Endpoint, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1567, mitre_technique_name Exfiltration_Over_Web_Service, former_category MALWARE, malware_family Formbook, created_at 2024_07_14, updated_at 2024_07_14; sid:3321292; rev:1; classtype:trojan-activity;)

🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - TLSv1.3 connection to Telegram API - Possible Exfiltration Over Web Service - 🚱 T1567

Metadata

Comments (0)