Suspicious Teams Application Related ObjectAcess Event

 1title: Suspicious Teams Application Related ObjectAcess Event
 2id: 25cde13e-8e20-4c29-b949-4e795b76f16f
 3status: test
 4description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
 5references:
 6    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
 7    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
 8author: '@SerkinValery'
 9date: 2022-09-16
10tags:
11    - attack.credential-access
12    - attack.t1528
13logsource:
14    product: windows
15    service: security
16detection:
17    selection:
18        EventID: 4663
19        ObjectName|contains:
20            - '\Microsoft\Teams\Cookies'
21            - '\Microsoft\Teams\Local Storage\leveldb'
22    filter:
23        ProcessName|contains: '\Microsoft\Teams\current\Teams.exe'
24    condition: selection and not filter
25falsepositives:
26    - Unknown
27level: high

References

• Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs

  

  Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on.

  
  Read More

• https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens

  
  Read More

Related rules

• Anomalous Token
• Anonymous IP Address
• App Granted Microsoft Permissions
• Application URI Configuration Changes
• Delegated Permissions Granted For All Users