🐾 - 🚨 Suspicious Powershell Windows 11 🪟 TLSv1.2 connection to Telegram API - Possible encrypted exfiltration - T1048.002 - Seen in 🐍 SnakeKeylogger ⌨ attack
Sourcepawpatrules
CreatedAugust 7, 2024
UpdatedAugust 14, 2024
Classificationtargeted-activity
alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"🐾 - 🚨 Suspicious Powershell Windows 11 🪟 TLSv1.2 connection to Telegram API - Possible encrypted exfiltration - T1048.002 - Seen in 🐍 SnakeKeylogger ⌨ attack"; flow:to_server, stateless; ja3.hash; content:"6a5d235ee78c6aede6a61448b4e9ff1e"; fast_pattern; ssl_version:tls1.2; tls_sni; content:"api.telegram.org"; nocase; reference:url,https://attack.mitre.org/techniques/T1048/002/; reference:url,https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger; reference:url,https://samples.vx-underground.org/Papers/Malware%20Defense/Malware%20Analysis/2024/2024-06-30%20-%20Deep%20Analysis%20of%20Snake%20(404%20keylogger).pdf; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1048_002, mitre_technique_name Exfiltration_Over_Alternative_Protocol_Exfiltration_Over_Asymmetric_Encrypted_Non-C2_Protocol, created_at 2024_08_07, updated_at 2024_08_14; sid:3321321; rev:4; classtype:targeted-activity;)
References
Metadata
attack targetClient_and_Server
signature severityMajor
affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit
mitre tactic idTA0010
mitre tactic nameExfiltration
mitre technique idT1048_002
mitre technique nameExfiltration_Over_Alternative_Protocol_Exfiltration_Over_Asymmetric_Encrypted_Non-C2_Protocol
created at2024_08_07
updated at2024_08_14
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!