Renamed Microsoft Teams Execution

Aug 12, 2024 · attack.defense-evasion ·

Detects the execution of a renamed Microsoft Teams binary.

Sigma rule (View on GitHub)

 1title: Renamed Microsoft Teams Execution
 2id: 88f46b67-14d4-4f45-ac2c-d66984f22191
 3status: experimental
 4description: Detects the execution of a renamed Microsoft Teams binary.
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2024-07-12
 9tags:
10    - attack.defense-evasion
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection:
16        OriginalFileName:
17            - 'msteams.exe'
18            - 'teams.exe'
19    filter_main_legit_names:
20        Image|endswith:
21            - '\msteams.exe'
22            - '\teams.exe'
23    condition: selection and not 1 of filter_main_*
24falsepositives:
25    - Unknown
26level: medium

References

Internal Research

Read More

Related rules

AD Object WriteDAC Access
ADS Zone.Identifier Deleted By Uncommon Application
AMSI Bypass Pattern Assembly GetType
APT PRIVATELOG Image Load Pattern
APT27 - Emissary Panda Activity