Adversaries may be accessing authentication tokens and accounts related to the Microsoft Teams application to escalate privileges or maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or lateral movement attempts.
Detection Rule
title: Suspicious Teams Application Related ObjectAcess Event
id: 25cde13e-8e20-4c29-b949-4e795b76f16f
status: test
description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
references:
- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
- https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022-09-16
tags:
- attack.credential-access
- attack.t1528
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectName|contains:
- '\Microsoft\Teams\Cookies'
- '\Microsoft\Teams\Local Storage\leveldb'
filter:
ProcessName|contains: '\Microsoft\Teams\current\Teams.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
imRegistry
| where (RegistryKey contains "\\Microsoft\\Teams\\Cookies" or RegistryKey contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(ActingProcessName contains "\\Microsoft\\Teams\\current\\Teams.exe"))Scenario: Scheduled Job for Teams Backup
Description: A scheduled job runs nightly to back up user data, including Teams application settings and authentication tokens.
Filter/Exclusion: Exclude events where the source process is a known backup tool (e.g., Veeam Backup & Replication, Acronis True Image) or where the event occurs during a predefined backup window.
Scenario: Admin Task to Reset Teams User Accounts
Description: An administrator resets a user’s Microsoft Teams account, which may trigger access to authentication tokens during the reset process.
Filter/Exclusion: Exclude events where the user is a domain admin or where the event is initiated by a known admin tool (e.g., Azure AD PowerShell, Microsoft 365 Admin Center).
Scenario: Teams Application Update via Group Policy
Description: A Group Policy update is deployed to push a new version of the Microsoft Teams application, which may involve accessing authentication tokens during the update process.
Filter/Exclusion: Exclude events where the source process is gpupdate.exe or where the event occurs during a known patching window.
Scenario: User Access to Teams Settings via Remote Desktop
Description: A user accesses the Microsoft Teams application remotely via Remote Desktop, which may generate access events to authentication tokens.
Filter/Exclusion: Exclude events where the source IP is part of the internal network or where the user is authenticated via a trusted remote access tool (e.g., Cisco AnyConnect, Microsoft Azure AD Connect).
Scenario: Teams Integration with Third-Party SaaS Tools
Description: A legitimate integration between Microsoft Teams and a third-party SaaS application (e.g., Zoom, Slack) may require access to authentication tokens for API communication.
Filter/Exclusion: Exclude events where the source process