security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml
T
frack113 8b749fb126 Order yaml field
2022-10-25 11:08:51 +02:00

28 lines
945 B
YAML
Raw Blame History

title: Suspicious Teams Application Related ObjectAcess Event
id: 25cde13e-8e20-4c29-b949-4e795b76f16f
status: experimental
description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
references:
- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
- https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022/09/16
tags:
- attack.credential_access
- attack.t1528
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectName|contains:
- '\Microsoft\Teams\Cookies'
- '\Microsoft\Teams\Local Storage\leveldb'
filter:
ProcessName|contains: '\Microsoft\Teams\current\Teams.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink