Suspicious Office Token Search Via CLI
Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
Sigma rule (View on GitHub)
1title: Suspicious Office Token Search Via CLI
2id: 6d3a3952-6530-44a3-8554-cf17c116c615
3status: test
4description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
5references:
6 - https://mrd0x.com/stealing-tokens-from-office-applications/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-10-25
9tags:
10 - attack.credential-access
11 - attack.t1528
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains:
18 - 'eyJ0eXAiOi' # {"typ":
19 - ' eyJ0eX'
20 - ' "eyJ0eX"'
21 - " 'eyJ0eX'"
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
Related rules
- Anomalous Token
- Anonymous IP Address
- App Granted Microsoft Permissions
- Application URI Configuration Changes
- Delegated Permissions Granted For All Users