Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1528-steal-application-access-token

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects suspicious access to Microsoft Teams storage locations that may indicate credential or token theft attempts.

Strategy

This rule monitors Windows event logs for object access events related to sensitive Microsoft Teams storage locations. It specifically looks for Windows Event ID 4663 (An attempt was made to access an object) where the ObjectName contains either Teams local storage level database files or Microsoft Teams Cookies. These locations store authentication tokens, session data, and other sensitive information that is valuable to attackers. Unauthorized access to these files could indicate an attempt to steal Microsoft Teams access tokens, which can be used to impersonate users, access sensitive communications, or pivot to other Microsoft 365 services.

Triage & Response

• Examine the complete object access event on {{host}} to determine which specific Teams-related files were accessed.
• Determine if the access was made by legitimate Teams processes or by unexpected applications.
• Inspect process creation events around the time of suspicious access to identify potential malware execution.
• Check for evidence of data exfiltration from the system following the suspicious access.
• Revoke and reissue all active Microsoft 365 tokens for the compromised account.