import "vt"

rule phish_telegram_bot_api : testing TA0001 T1566 T1566_001 {
	meta:
		description = "Detects the presence of the Telegram Bot API endpoint often used as egress"
		author = "Maxime THIEBAUT (@0xThiebaut)"
		date = "2021-09-30"
		reference = "https://blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-a-telegram-harvester/"
		tlp = "white"
		status = "testing"
		tactic = "TA0001"
		technique = "T1566.001"
		hash1 = "696f2cf8a36be64c281fd940c3f0081eb86a4a79f41375ba70ca70432c71ca29"
	strings:
		$endpoint = "https://api.telegram.org/bot"
		$command = "/sendMessage"
		$option1 = "chat_id"
		$option2 = "text"
		$option3 = "parse_mode"
		$script = "<script>"
	condition:
		all of them
}