move and deprecate

fornotes · Jul 22, 2024 · 5be277a · 5be277a
1 parent 3ff2e63
commit 5be277a
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 6 deletions.
diff --git a/deprecated/windows/file_event_win_access_susp_teams.yml b/deprecated/windows/file_event_win_access_susp_teams.yml
@@ -0,0 +1,27 @@
+title: Suspicious File Event With Teams Objects
+id: 6902955a-01b7-432c-b32a-6f5f81d8f624
+status: deprecated
+description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
+references:
+    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
+    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
+author: '@SerkinValery'
+date: 2022/09/16
+modified: 2024/07/22
+tags:
+    - attack.credential_access
+    - attack.t1528
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|contains:
+            - '\Microsoft\Teams\Cookies'
+            - '\Microsoft\Teams\Local Storage\leveldb'
+    filter:
+        Image|contains: '\Microsoft\Teams\current\Teams.exe'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
diff --git a/deprecated/windows/file_event_win_access_susp_unattend_xml.yml b/deprecated/windows/file_event_win_access_susp_unattend_xml.yml
@@ -0,0 +1,24 @@
+title: Suspicious Unattend.xml File Access
+id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb
+status: deprecated
+description: |
+    Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
+    If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
+author: frack113
+date: 2021/12/19
+modified: 2024/07/22
+tags:
+    - attack.credential_access
+    - attack.t1552.001
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith: '\unattend.xml'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml b/rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml
@@ -1,14 +1,13 @@
 title: Unattend.XML File Access Attempt
-id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb
+id: 76a26006-0942-430b-8249-bd51d448f8e5
 status: experimental
 description: |
     Detects attempts to access the "unattend.xml" file, where credentials might be stored.
     This file is used during the unattended windows install process.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
 author: frack113
-date: 2021/12/19
-modified: 2024/07/22
+date: 2024/07/22
 tags:
     - attack.credential_access
     - attack.t1552.001

diff --git a/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml b/rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml
@@ -1,14 +1,13 @@
 title: Microsoft Teams Sensitive File Access By Uncommon Application
-id: 6902955a-01b7-432c-b32a-6f5f81d8f624
+id: 65744385-8541-44a6-8630-ffc824d7d4cc
 status: experimental
 description: |
     Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
 references:
     - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
     - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
 author: '@SerkinValery'
-date: 2022/09/16
-modified: 2024/07/22
+date: 2024/07/22
 tags:
     - attack.credential_access
     - attack.t1528