Potentially Suspicious Command Targeting Teams Sensitive Files
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Command Targeting Teams Sensitive Files
2id: d2eb17db-1d39-41dc-b57f-301f6512fa75
3status: test
4description: |
5 Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
6 The database might contain authentication tokens and other sensitive information about the logged in accounts.
7references:
8 - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
9 - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
10author: '@SerkinValery'
11date: 2022-09-16
12modified: 2023-12-18
13tags:
14 - attack.credential-access
15 - attack.t1528
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection:
21 CommandLine|contains:
22 - '\Microsoft\Teams\Cookies'
23 - '\Microsoft\Teams\Local Storage\leveldb'
24 filter_main_legit_locations:
25 Image|endswith: '\Microsoft\Teams\current\Teams.exe'
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - Unknown
29level: medium
References
-
Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on.
Read More
Related rules
- Potentially Suspicious JWT Token Search Via CLI
- Anomalous Token
- Anonymous IP Address
- App Granted Microsoft Permissions
- Application URI Configuration Changes