Using a portable Telegram client, is it so invisible?
As a measure to prevent such leakage, companies usually use DLP systems (Data Loss Prevention) and other methods of monitoring correspondence. One of the most popular messengers used in Russia and the CIS is Telegram. As the practice of companies working with DLP shows, the algorithm for identifying a Telegram client in the system is imperfect and it is quite easy to bypass control mechanisms using the portable version.
Assessing the cost of implementing control mechanisms and the ease of bypassing them, let's try to answer the question: “By what signs can you understand that the Portable Telegram client is being used?”
For analysis, we will use standard system monitoring tools, as well as logs Sysmon. We will consider log events in R-Vision SIEM, since the product allows you to process all events in one place with convenient filters and high performance.
Telegram in a corporate environment
Official Telegram client applications are available in various versions:
In the corporate environment, the most popular is the Desktop client application for the Windows operating system, which, in turn, comes in two versions: classic installed and portable. We will conduct further analysis through the prism of the differences between these two versions of the application, since there are no problems with monitoring in the DLP installed version, which cannot be said about the portable one.
Monitoring the use of Telegram on Windows can be done at different levels of interaction with the system. Let's roughly divide them into:
Let's start searching for indicators by launching the application.
Search for artifacts
Creating a process
First, let's look at the creation events of the Telegram process on a Windows workstation. For the convenience of presenting logs, we will use the event comparison functionality in R-Vision SIEM.
The process start event is logged Security c EventID 4688 (Process Creation). The event records the full path to the executable file. The installed version is usually located along the path %USERPROFILE%/AppData/Roaming/Telegram Desktop/Telegram.exe. While the portable version defaults to the path %USERPROFILE%/{PATH}/tportable-xbut as you can see in the picture below, this path can be easily replaced. You can also see the parent process in the event, which when launched by the user from the GUI will always be explorer.exeand the user who launched the messenger client.
Unfortunately, when renaming the client executable file or its path, this event will not help us. Then an event with EventID 1 (Process creation) from the magazine Sysmon/Operational. This event, in addition to the information discussed earlier, also contains checksums of the executable file and information about the publisher of the application. It is more difficult for the user to change these values than to rename the file. One way to change these values is to use the Resource Hacker utility.
Note that the checksums of the executable file will differ depending on the version of the client used, which will require their constant revision and support. If the company organizes centralized installation and updating of software, then the “illegal” version of the client can be distinguished using a logical exclusion operation. For example : fileHash not like "%легитимный hash%".
Process start events can be used to detect a portable version of the client, however, if the user has special skills, this detection method can be bypassed. In order to distinguish the installable version from the portable one, you should pay attention to the path to the executable file. The installed version of the client is located by default at the path %USERPROFILE%/AppData/Roaming/Telegram Desktop/Telegram.exe.
In the next section we will look at changes at the file subsystem level.
Changing the file system
A folder is created in the Portable launch directory of the Telegram client tdata into which application data is placed. With configured logging of file creation in user folders, you can record changes in the c event EventID 11 (FileCreate) magazine Sysmon/Operational.
It is worth considering that the catalog with the name tdata may be used by other applications, so to minimize false detection, you can correlate this event with event c EventID 1 (Process creation) Sysmon/Operational by process ID (field spid normalized event). And also exclude events with the occurrence of a substring Program Files, Windows, ProgramData on the way to the directory /tdata/ or vice versa will be limited to the user directory :\Users\.* and folder Temp.
To track file system change events, it is necessary to set up an audit of changes in the corresponding directories, which can lead to the generation of a large number of events that are not important for the information security service. This fact can reduce the performance of the event processing system and increase its cost, so we conclude that you can monitor the use of the Telegram client based on the creation of files in the directory tdatabut you need to take a conscious approach to setting the appropriate logging level. In this case, you can exclude the installed version using the path C:/Users/{{User}}/AppData/Roaming/Telegram Desktop/tdatathe remaining events will signal the use of the portable version.
The next method for detecting the use of the Telegram client is to monitor network activity.
Markers on the web
When synchronizing, the application contacts api Telegram servers. The list of network connections when starting the application is shown in the image. This behavior is similar for both the Portable client and the installable one, but for the Web version of the client it is different.
Such requests can be detected at the level of analysis of proxy server logs, network connections, or based on event c EventID 22 (DNSEvent) magazine Sysmon/Operational.
The Telegram client requests addresses from the following DNS names:
td.telegram.org
telegram.org
desktop.telegram.org
tdesktop.telega.one
api.telegram.org
Based on the event discussed above, we can conclude that the Telegram client is being used, while the installed version can be distinguished from the portable version by the path to the executable file specified in the event (field dproc normalized event).
Additionally, consider the events of network connections recorded in events c EventID 3 (Network connection detected) in the magazine Sysmon/Operational. The figure shows statistics of Telegram Client connections to servers for 5 minutes, in the column count The number of connection events to specific servers is displayed.
When using a proxy server, as the connection IP address in the network connection establishment event in the log Sysmon/Operational his address will be indicated. In this case, detecting network connections to Telegram servers based on event c EventID 3 (Network connection detected) impossible.
To synchronize with the server, Telegram uses several public subnets. Information about the subnets used according to the site ipinfo.io in the image.
We would like to note that detection based on the list of IP addresses of Telegram servers is not effective, since their list changes. When deciding to use this method to detect the use of Telegram, in addition to the event considered, you can use events about connections from network devices, but it is impossible to distinguish the use of a portable client from an installed one.
Monitoring network connections and DNS requests to Telegram servers can also help in detection attacks using it as a tool for management of compromised nodes and data exchange. In the presented analysis of attacks, attackers use custom client implementations (which makes detection based on other events under consideration impossible), but such clients turn to api legitimate Telegram servers. These requests will be recorded in the events discussed in this section.
Next, let's look at what changes occur in the system when the client is launched. First, let's look at the changes recorded in the registry.
The register will tell you everything
When the application is launched for the first time, changes occur in the registry branch /HKEY_USERS/{{UUID}}_Classes. Two sections are being created in this thread tg And tdesktop.tg.
Sections in the registry are saved after completion of both the installed and portable versions, and their content is similar.
Changes in branch data can be tracked in an event EventID 4657 (A registry value was modified) magazine Security. Logging an event requires setting up advanced auditing and SACL to the modified registry branch.
And also in events c EventID 12 (RegistryEvent (Object create and delete)) And EventID 13 (RegistryEvent (Value Set)) from the magazine Sysmon/Operational about changing similar branches:
The portable version can be distinguished from the installable version by the path to the executable file in the value of the changed key .../tg/shell/open/command/(Default) specified in the field cs4 normalized event.
Similar to the previously discussed file system change events, registry change events require a conscious approach to setting up auditing to avoid the problem of generating a large number of uninformative logs. Therefore, we consider this method ineffective. When deciding to use this method, you can use any of the events discussed in this section, since they display the same context necessary for detection.
Having examined the changes at the registry level, let's move on to the events of creating a named pipe, which provides interprocessor communication.
Create a named pipe
When the application starts, it creates named pipe. A named pipe is used for communication between processes in Windows operating systems. Various processes in the system can write to and read data into it, providing the necessary interaction.
The named channel name is generated by the function SingleInstanceLocalServerName and consists of the word Global\\ + hash value in md5 format + “-” + Unique GUID.
Below is an example of the generated name:
\\Global\\86dc7d25b16c5a67f82ffcb5c00ac31e-{87A94AB0-E370-4cde-98D3-ACC110C5967D}
Named pipe creations are logged in event c EventID 17 (Pipe created) magazine Sysmon/Operational.
Sysmon log event ID 17 about named pipe creation
The name of the channel created by the Telegram client can be checked using a regular expression:
\\Global\\[0-9a-f]{32}-\{[0-9A-f]{8}-[0-9A-f]{4}-[0-9A-f]{4}-[0-9A-f]{4}-[0-9A-f]{12}\}
A named pipe is created both when using an installed application and a portable one, so differences can only be recorded in the path to the executable file that created the named pipe.
Based on the events of named pipe creation, you can quite effectively detect the use of the Telegram client, even after modifying the executable file discussed in the “Creating a process” section. At the same time, the installed version can be distinguished from the portable version only by the path to the executable file.
Next, let's look at calls specific to the Telegram API client using the utility API Monitor.
Monitoring at the Windows API level
When starting the Telegram client, regardless of the launch directory and the name of the executable file, an API call is typical CreateFileW creating a Qt configuration file with the path C:/Telegram/Libraries/...:
The installed version of the client is characterized by an API call GetFullPathNameW to check the presence of files and directories indicating the path C:/Users/{{User}}/AppData/Roaming/Telegram Desktop/ as a parameter and CreateDirectoryW with a similar parameter for subsequent creation of this directory:
The Portable version has similar calls GetFullPathNameW And CreateDirectoryWonly with the path specified in the arguments corresponding to the launch directory:
When you launch the Portable version for the first time (or launch it in a new directory), a directory is created to store application data tdatausing api call CreateDirectoryW. As a result of the operation, we get the value True:
When we launch it again, as well as when we run the installed version, as a result of calling the API to create a directory, we receive an error that the directory has already been created.
Additionally, to launch the Telegram client, regardless of version, it is typical to create and connect to a named channel using system calls CreateNamedPipeW And ConnectNamedPipe:
Conclusion
In the article, we examined possible artifacts in Windows events that are left by the portable version of the Telegram client. Each marker has its own advantages and disadvantages:
A method based on the considered process startup events can effectively detect the use of a client if the user who launched it did not modify the executable file.
Methods based on file system and registry changes will also report its use, but logging such events typically requires additional auditing configuration.
Events of network connections and DNS requests can signal the use of the Telegram Client, including when using your own client build, but this requires maintaining an up-to-date list of subnets and DNS names used by Telegram. These events are not logged when using Proxy.
Named channel creation events whose name matches the considered mask can tell us about the use of the Telegram client, but there is no 100 percent guarantee that other software does not use a similar name format.
The considered methods detect the use of the official Telegram client, regardless of its version. You can distinguish a portable version from an installable one only by the path to the executable file and its hash.
From here we conclude that detecting the use of a Telegram client is a rather difficult task, but doable. Using R-Vision SIEM as an example, we showed how to solve this problem using a SIEM class solution.
Author: Nesterov Boris (@dino_cn), R-Vision Cybersecurity Threat Research Analyst.
