Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Teams Application Related ObjectAcess Event

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@serkinvaleryCreated Fri Sep 1625cde13e-8e20-4c29-b949-4e795b76f16fwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 4663
        ObjectName|contains:
            - '\Microsoft\Teams\Cookies'
            - '\Microsoft\Teams\Local Storage\leveldb'
    filter:
        ProcessName|contains: '\Microsoft\Teams\current\Teams.exe'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
bleepingcomputer.com
2
Resolving title…
vectra.ai
MITRE ATT&CK
Rule Metadata
Rule ID
25cde13e-8e20-4c29-b949-4e795b76f16f
Status
test
Level
high
Type
Detection
Created
Fri Sep 16
Author
@serkinvalery
Path
rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml
Raw Tags
attack.credential-accessattack.t1528
View on GitHub