Microsoft Teams Sensitive File Access By Uncommon Applications

calendar Aug 12, 2024 · attack.credential-access attack.t1528  ·
Share on: linkedin copy

Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.

Sigma rule (View on GitHub)

 1title: Microsoft Teams Sensitive File Access By Uncommon Applications
 2id: 65744385-8541-44a6-8630-ffc824d7d4cc
 3status: experimental
 4description: |
 5        Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
 6references:
 7    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
 8    - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
 9author: '@SerkinValery'
10date: 2024-07-22
11tags:
12    - attack.credential-access
13    - attack.t1528
14logsource:
15    product: windows
16    category: file_access
17    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
18detection:
19    selection:
20        FileName|contains:
21            - '\Microsoft\Teams\Cookies'
22            - '\Microsoft\Teams\Local Storage\leveldb'
23    filter_main_legit_location:
24        # Note: its best to filter the full path to avoid false negatives
25        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
26    condition: selection and not 1 of filter_main_*
27falsepositives:
28    - Unknown
29level: medium

References

Related rules

to-top