Adversaries may attempt to access sensitive Microsoft Teams files like leveldb and cookies using uncommon applications to exfiltrate data or persist within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data theft or persistence tactics leveraging Microsoft Teams infrastructure.
Detection Rule
title: Microsoft Teams Sensitive File Access By Uncommon Applications
id: 65744385-8541-44a6-8630-ffc824d7d4cc
status: test
description: |
Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
references:
- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
- https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2024-07-22
tags:
- attack.credential-access
- attack.t1528
logsource:
product: windows
category: file_access
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|contains:
- '\Microsoft\Teams\Cookies'
- '\Microsoft\Teams\Local Storage\leveldb'
filter_main_legit_location:
# Note: its best to filter the full path to avoid false negatives
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
imFileEvent
| where (FileName contains "\\Microsoft\\Teams\\Cookies" or FileName contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(TargetFilePath endswith "\\Microsoft\\Teams\\current\\Teams.exe"))Scenario: A system administrator uses PowerShell to clean up temporary files in the Teams directory during a routine maintenance task.
Filter/Exclusion: process.name != "powershell.exe" or process.name contains "maintenance"
Scenario: A Scheduled Task runs to archive old Teams cookies or leveldb files as part of a data retention policy.
Filter/Exclusion: process.name contains "schtasks" or process.name contains "Archive"
Scenario: A Windows Update process accesses Teams files temporarily during system updates.
Filter/Exclusion: process.name contains "wuau" or "svchost.exe" with a known update context
Scenario: A Third-Party Backup Tool (e.g., Veeam, Commvault) accesses Teams files during a scheduled backup operation.
Filter/Exclusion: process.name contains "veeam" or "commvault" or process.name contains "backup"
Scenario: A Custom Script or PowerShell Module used by the IT department to monitor or manage Teams data access.
Filter/Exclusion: process.name contains "customscript" or process.name contains "monitoring" or process.name contains "itops"