Skip to content

McHughSecurity

  • Home
  • Blog
  • Security Operations
  • DFIR
    • Reverse Engineering
      • Dynamic Analysis
      • Static Analysis
  • Vuln. Mgmt
  • Intelligence
    • Open-Source Intelligence
    • Threat Intelligence
      • AIL Framework
      • MISP – Open Source Threat Intelligence Platform
      • OpenCTI
  • Threat Modelling
    • Attack Libraries
    • Attack Trees
    • Mitigating Techniques
    • SaaS Threat Modelling
    • Threat Models
    • Tools
    • Validating Threat Mitigations
  • Toggle search form
  • [Part 1] Building a Threat Integration and Testing Lab Build
  • What is Cyber Threat Intelligence? Blog
  • Deploying (and using) TheHive4 [Part 1] Build
  • Using the workflow taxonomy in MISP MISP - Open Source Threat Intelligence Platform
  • Building a Cuckoo Malware Analysis Server Digital Forensics & Incident Response
  • Building Structured Threat Intelligence (STIX) from FBI notices MISP - Open Source Threat Intelligence Platform
  • [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise Build
  • OSINT for Missing Persons (Part 1 – Intro) Open-Source Intelligence

Feeding Analysis Information Leak (AIL) Framework

Posted on April 24, 2022May 13, 2022 By A.McHugh No Comments on Feeding Analysis Information Leak (AIL) Framework

I have been playing with CIRCL’s AIL Framework recently (which I will be writing about in another blog post), but I have had an interest in monitoring Telegram channels for Threat Intelligence and Data Breach indicators.

AIL has a very capable framework to detect indicators within processed information using a suite of very comprehensive Yara rules – but unless you want to copy and paste Telegram messages into AIL all day, some level of automation is required.

There is where the feeders come into play!

Telegram Feeder

The Telegram AIL Feeder is a python script that leverages the Telegram API to join, leave, and get messages from a channel. I have made an update to the feeder script that allows the AIL operator to run the feeder.py script with the –getall action set, and then download all messages from all channels.

System Requirements

I opted to deploy the feeder on the same system as that of AIL Framework, but in a sub-directory specific to AIL Feeder scripts. There is really only one piece of configuration to do for the script itself, but once you execute for the first time you will need to provide some configuration for the Telegram API connection.

Telegram API Credentials

To configure the feeder to pull chat messages from your Telegram account we need to head over to the Telegram API page (https://my.telegram.org/auth) and login by providing our registered phone number.

Login to Telegram API Manager

Once we have authenticated to the Telegram API Manager we need to click into ‘API Development Tools’ and then define what our application will be called. The only configuration we need to provide for this is the App Title and Short name. Once submitted we should have an App API ID and App API Hash generated.

Telegram API credentials

Now that you have the API ID and API Hash, these values are added to the etc/conf.cfg file under the TELEGRAM section.

The first time the bin/feeder.py script is executed, the script will check for the presence of a session file (as defined in the configuration file). If that file does not exist the script will prompt for your Telegram registered Telephone number, and then an initial authentication and authorisation will take place.

After this initial authentication / authorisation the session file will be written into the bin/ directory for the Telegram feeder and will be referenced for all future executions.

Channel Management

Joining and leaving channels through the feeder.py script is relatively easy, but it requires you to enter either the technical ID or the Channel Name as an argument to –join.

python3 bin/feeder.py --join CHANNEL_NAME 

Alternatively, since you have authenticated using your Telephone number; the Telegram client on the telephone number you have registered against can join channels as normal, and when the script is re-run that new channel will be added.

Getting Channel Messages

Individual channels can have their chat messages downloaded using the -e or –entity argument followed by the CHANNEL_ID. This requires you to know the identifier for the channel you want to extract from, and this can be extracted using the Channels argument.

python3 bin/feeder.py --entity CHANNEL_ID

Getting Joined Channel List

There is a technical command implemented which will show which channels have been joined by the registered Telephone number. The –channels argument will output a Python list of CHANNEL_IDs for which the Telephone number has joined. Whilst there is nothing directly useful within this command, the values can be used with the –entity command to Get Channel Messages.

python3 bin/feeder.py --channels
Redacted joined channel list

As you can see from my above output example, I have redacted every single one of the channels. There is no real confidentiality risk in disclosing these identifiers, however since the purpose for this integration is to monitor certain channels – I don’t want to breach my own OPSEC in what account I am using and what channels I have joined.

Getting ALL messages from ALL joined channels

If you were needing to extract all Channel messages on a periodic basic from all of the joined channels, then this command is likely what you are looking for. Be warned, due to the nature of the asynchronous function calls to download the Telegram messages, this WILL be resource intensive.

python3 bin/feeder.py --getall

The demonstration above was achieved using a live installation of AIL Framework in my home lab which is monitoring in excess of 50 Telegram channels. These channels are not necessarily safe, and nor do I wish to advertise their accessibility any more than is necessary to demonstrate how the feeder operates.

What next?

In the coming few days I will be writing up integrations with Twitter and Discord monitoring and showing it they integrate with AIL Framework. A more comprehensive overall write-up will also be coming soon to show how AIL integrates with MISP and TheHive, and how’s API can enable a lot of very interesting response functions when a leak with specific context is discovered.

Related

AIL Framework

Post navigation

Previous Post: An Introduction to Threat Intelligence
Next Post: Auto-updating Ubuntu 20.04 in less than 2 minutes

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

four + seven =

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Search

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Archives

  • April 2022
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • September 2020
  • April 2020
  • March 2020
  • January 2020
  • May 2019
  • [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform Build
  • Building a Cuckoo Malware Analysis Server Digital Forensics & Incident Response
  • [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise Build
  • Implementing Elastic Cloud and using Elastic Security Build
  • What is Cyber Threat Intelligence? Blog
  • Using the Data Classification Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • An Introduction to Threat Intelligence Threat Intelligence
  • Building CCCS’ AssemblyLine for Static Analysis Static Analysis

Categories

  • AIL Framework
  • Blog
  • Build
  • Design
  • Digital Forensics & Incident Response
  • Frameworks
  • Intelligence
  • MISP – Open Source Threat Intelligence Platform
  • Open-Source Intelligence
  • Operate
  • Security Operations
  • Static Analysis
  • Threat Intelligence

Copyright © 2022 McHughSecurity.

Powered by PressBook News Dark theme