Suspicious File Event With Teams Objects
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Sigma rule (View on GitHub)
1title: Suspicious File Event With Teams Objects
2id: 6902955a-01b7-432c-b32a-6f5f81d8f624
3status: test
4description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
5references:
6 - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
7 - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
8author: '@SerkinValery'
9date: 2022/09/16
10tags:
11 - attack.credential_access
12 - attack.t1528
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|contains:
19 - '\Microsoft\Teams\Cookies'
20 - '\Microsoft\Teams\Local Storage\leveldb'
21 filter:
22 Image|contains: '\Microsoft\Teams\current\Teams.exe'
23 condition: selection and not filter
24falsepositives:
25 - Unknown
26level: high
References
-
Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on.
Read More -
In August 2022, the Vectra Protect team identified an attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in. Attackers do not require elevated permissions to read these files, which exposes this concern to any attack that provides malicious actors with local or remote system access.
Read More
Related rules
- App Granted Microsoft Permissions
- Application URI Configuration Changes
- Delegated Permissions Granted For All Users
- End User Consent
- End User Consent Blocked