Suspicious Teams Application Related ObjectAcess Event

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

Sigma rule (View on GitHub)

 1title: Suspicious Teams Application Related ObjectAcess Event
 2id: 25cde13e-8e20-4c29-b949-4e795b76f16f
 3status: test
 4description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
 5references:
 6    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
 7    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
 8author: '@SerkinValery'
 9date: 2022/09/16
10tags:
11    - attack.credential_access
12    - attack.t1528
13logsource:
14    product: windows
15    service: security
16detection:
17    selection:
18        EventID: 4663
19        ObjectName|contains:
20            - '\Microsoft\Teams\Cookies'
21            - '\Microsoft\Teams\Local Storage\leveldb'
22    filter:
23        ProcessName|contains: '\Microsoft\Teams\current\Teams.exe'
24    condition: selection and not filter
25falsepositives:
26    - Unknown
27level: high

References

Related rules

to-top