Detectionmediumtest
Microsoft Teams Sensitive File Access By Uncommon Applications
Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowsfile_access
ProductWindows← raw: windows
Categoryfile_access← raw: file_access
Definition
Requirements: Microsoft-Windows-Kernel-File ETW provider
Detection Logic
Detection Logic2 selectors
detection:
selection:
FileName|contains:
- '\Microsoft\Teams\Cookies'
- '\Microsoft\Teams\Local Storage\leveldb'
filter_main_legit_location:
# Note: its best to filter the full path to avoid false negatives
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
condition: selection and not 1 of filter_main_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
65744385-8541-44a6-8630-ffc824d7d4cc
Status
test
Level
medium
Type
Detection
Created
Mon Jul 22
Author
Path
rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml
Raw Tags
attack.credential-accessattack.t1528