I have been playing with CIRCL’s AIL Framework recently (which I will be writing about in another blog post), but I have had an interest in monitoring Telegram channels for Threat Intelligence and Data Breach indicators.
AIL has a very capable framework to detect indicators within processed information using a suite of very comprehensive Yara rules – but unless you want to copy and paste Telegram messages into AIL all day, some level of automation is required.
There is where the feeders come into play!
Telegram Feeder
The Telegram AIL Feeder is a python script that leverages the Telegram API to join, leave, and get messages from a channel. I have made an update to the feeder script that allows the AIL operator to run the feeder.py script with the –getall action set, and then download all messages from all channels.
System Requirements
I opted to deploy the feeder on the same system as that of AIL Framework, but in a sub-directory specific to AIL Feeder scripts. There is really only one piece of configuration to do for the script itself, but once you execute for the first time you will need to provide some configuration for the Telegram API connection.
Telegram API Credentials
To configure the feeder to pull chat messages from your Telegram account we need to head over to the Telegram API page (https://my.telegram.org/auth) and login by providing our registered phone number.
Once we have authenticated to the Telegram API Manager we need to click into ‘API Development Tools’ and then define what our application will be called. The only configuration we need to provide for this is the App Title and Short name. Once submitted we should have an App API ID and App API Hash generated.
Now that you have the API ID and API Hash, these values are added to the etc/conf.cfg file under the TELEGRAM section.
The first time the bin/feeder.py script is executed, the script will check for the presence of a session file (as defined in the configuration file). If that file does not exist the script will prompt for your Telegram registered Telephone number, and then an initial authentication and authorisation will take place.
After this initial authentication / authorisation the session file will be written into the bin/ directory for the Telegram feeder and will be referenced for all future executions.
Channel Management
Joining and leaving channels through the feeder.py script is relatively easy, but it requires you to enter either the technical ID or the Channel Name as an argument to –join.
python3 bin/feeder.py --join CHANNEL_NAME
Alternatively, since you have authenticated using your Telephone number; the Telegram client on the telephone number you have registered against can join channels as normal, and when the script is re-run that new channel will be added.
Getting Channel Messages
Individual channels can have their chat messages downloaded using the -e or –entity argument followed by the CHANNEL_ID. This requires you to know the identifier for the channel you want to extract from, and this can be extracted using the Channels argument.
python3 bin/feeder.py --entity CHANNEL_ID
Getting Joined Channel List
There is a technical command implemented which will show which channels have been joined by the registered Telephone number. The –channels argument will output a Python list of CHANNEL_IDs for which the Telephone number has joined. Whilst there is nothing directly useful within this command, the values can be used with the –entity command to Get Channel Messages.
python3 bin/feeder.py --channels
As you can see from my above output example, I have redacted every single one of the channels. There is no real confidentiality risk in disclosing these identifiers, however since the purpose for this integration is to monitor certain channels – I don’t want to breach my own OPSEC in what account I am using and what channels I have joined.
Getting ALL messages from ALL joined channels
If you were needing to extract all Channel messages on a periodic basic from all of the joined channels, then this command is likely what you are looking for. Be warned, due to the nature of the asynchronous function calls to download the Telegram messages, this WILL be resource intensive.
python3 bin/feeder.py --getall
The demonstration above was achieved using a live installation of AIL Framework in my home lab which is monitoring in excess of 50 Telegram channels. These channels are not necessarily safe, and nor do I wish to advertise their accessibility any more than is necessary to demonstrate how the feeder operates.
What next?
In the coming few days I will be writing up integrations with Twitter and Discord monitoring and showing it they integrate with AIL Framework. A more comprehensive overall write-up will also be coming soon to show how AIL integrates with MISP and TheHive, and how’s API can enable a lot of very interesting response functions when a leak with specific context is discovered.