Suspicious File Event With Teams Objects
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Sigma rule (View on GitHub)
1title: Suspicious File Event With Teams Objects
2id: 6902955a-01b7-432c-b32a-6f5f81d8f624
3status: test
4description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
5references:
6 - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
7 - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
8author: '@SerkinValery'
9date: 2022/09/16
10tags:
11 - attack.credential_access
12 - attack.t1528
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|contains:
19 - '\Microsoft\Teams\Cookies'
20 - '\Microsoft\Teams\Local Storage\leveldb'
21 filter:
22 Image|contains: '\Microsoft\Teams\current\Teams.exe'
23 condition: selection and not filter
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- App Granted Microsoft Permissions
- Application URI Configuration Changes
- Delegated Permissions Granted For All Users
- End User Consent
- End User Consent Blocked