Adversaries may be using Telegram API access to exfiltrate data or establish command and control channels by mimicking legitimate user activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert communication channels and mitigate data exfiltration risks.
Detection Rule
title: Telegram API Access
id: b494b165-6634-483d-8c47-2026a6c52372
status: test
description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
references:
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2023-05-18
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1071.001
- attack.t1102.002
logsource:
category: proxy
detection:
selection:
cs-host: 'api.telegram.org' # Often used by Bots
filter:
c-useragent|contains:
# Used https://core.telegram.org/bots/samples for this list
- 'Telegram'
- 'Bot'
condition: selection and not filter
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
imWebSession
| where HttpHost =~ "api.telegram.org" and (not((HttpUserAgent contains "Telegram" or HttpUserAgent contains "Bot")))Scenario: System Monitoring Tool Access
Description: A system monitoring tool (e.g., Prometheus, Datadog) may make periodic requests to the Telegram API to send alerts or logs.
Filter/Exclusion: Exclude IP addresses or hostnames associated with known monitoring tools, or filter by request paths that are specific to alerting functions.
Scenario: Scheduled Job for User Activity Reporting
Description: A scheduled job (e.g., using cron or Task Scheduler) runs daily to report user activity via Telegram, using a custom script or API wrapper.
Filter/Exclusion: Exclude requests made during scheduled job windows (e.g., 2:00 AM) or filter by user-agent strings associated with internal scripts.
Scenario: Admin Task for Incident Communication
Description: An admin manually uses a Telegram bot (e.g., via python-telegram-bot library) to communicate with stakeholders during an incident response.
Filter/Exclusion: Exclude requests originating from admin workstations or filter by user-agent strings that match known internal bot clients.
Scenario: Integration with Third-Party Chatbot
Description: A legitimate integration with a third-party chatbot (e.g., for customer support) may make API calls to Telegram without a standard user-agent.
Filter/Exclusion: Exclude IP addresses or domains associated with known chatbot services, or filter by specific API endpoints used for bot communication.
Scenario: Automated Log Aggregation to Telegram
Description: A log aggregation tool (e.g., ELK Stack, Splunk) may send aggregated logs to a Telegram channel for real-time monitoring.
Filter/Exclusion: Exclude requests that match known log aggregation endpoints or filter by user-agent strings associated with log shipping tools.