Telegram API Access

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Sigma rule (View on GitHub)

 1title: Telegram API Access
 2id: b494b165-6634-483d-8c47-2026a6c52372
 3status: test
 4description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
 5references:
 6    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
 7    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
 8    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
 9author: Florian Roth (Nextron Systems)
10date: 2018/06/05
11modified: 2023/05/18
12tags:
13    - attack.defense_evasion
14    - attack.command_and_control
15    - attack.t1071.001
16    - attack.t1102.002
17logsource:
18    category: proxy
19detection:
20    selection:
21        cs-host: 'api.telegram.org' # Often used by Bots
22    filter:
23        c-useragent|contains:
24            # Used https://core.telegram.org/bots/samples for this list
25            - 'Telegram'
26            - 'Bot'
27    condition: selection and not filter
28fields:
29    - ClientIP
30    - c-uri
31    - c-useragent
32falsepositives:
33    - Legitimate use of Telegram bots in the company
34level: medium

References

Related rules

to-top