T1552.008

Chat Messages

Adversaries may directly collect unsecured credentials stored or passed through user communication services. Corporate chat tools including Slack, Microsoft Teams, Jira, Confluence, and email frequently contain credentials shared between employees — API keys, passwords, database connection strings, SSH keys, and authentication tokens. LAPSUS$ specifically targeted Slack, Teams, JIRA, and Confluence to hunt for exposed credentials supporting privilege escalation and lateral movement. Adversaries may access stored chat logs on endpoints, query chat APIs with compromised tokens, compromise Slack integrations/bots, or search through message history for sensitive content.

Microsoft Sentinel / Defender

kusto

// Detect suspicious access to chat application data and credential search
DeviceFileEvents
| where Timestamp > ago(24h)
// Pattern 1: Access to Slack desktop app local data
| where (
    FolderPath has_any ("Slack\\storage", "Slack\\logs", "slack-store", "Slack\\Cache")
    or FolderPath has_any ("Teams\\LocalDb", "Teams\\Blob_storage",
                           "Microsoft\\Teams\\Local Storage",
                           "Microsoft\\Teams\\databases")
  )
| where ActionType in ("FileRead", "FileAccessed")
| where InitiatingProcessFileName !in~ ("Slack.exe", "Teams.exe", "msedgewebview2.exe",
                                         "chrome.exe", "slack", "teams", "electron")
| extend Platform = case(
    FolderPath has "Slack", "Slack",
    FolderPath has "Teams", "Teams",
    "Unknown"
  )
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
         InitiatingProcessFileName, Platform
| union (
    // Pattern 2: Chat app token/session file access
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where FileName has_any ("token", "session", "cookies")
        and FolderPath has_any ("Slack", "Teams", "Discord", "Zoom")
    | where ActionType in ("FileRead", "FileAccessed")
    | where InitiatingProcessFileName !in~ ("Slack.exe", "Teams.exe", "Discord.exe",
                                            "Zoom.exe", "slack", "teams", "discord")
    | project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
             InitiatingProcessFileName
)
| union (
    // Pattern 3: Slack/Teams API token usage via curl or PowerShell
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any (
        "slack.com/api", "graph.microsoft.com/v1.0/chats",
        "teams.microsoft.com", "api.slack.com"
      )
    | where ProcessCommandLine has_any ("token", "Bearer", "xoxb", "xoxp", "xoxa")
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Access Process: Process Creation Command: Command Execution Network Traffic: Network Connection Creation

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Backup agents reading chat application local storage as part of user data backup
Enterprise compliance and DLP tools scanning chat application data for sensitive information
IT support tools that access Teams/Slack logs for troubleshooting purposes
Browser extensions or third-party integrations that legitimately access Slack/Teams local storage
Automated testing frameworks that access chat application data during end-to-end testing

Splunk

spl

index=wineventlog OR index=o365 (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="o365:management:activity")
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (
    (TargetFilename="*\\Slack\\storage\\*" OR TargetFilename="*\\Slack\\logs\\*")
    OR
    (TargetFilename="*\\Microsoft\\Teams\\Local Storage\\*" OR TargetFilename="*\\Teams\\Blob_storage\\*")
  )
  NOT (Image IN ("*\\Slack.exe", "*\\Teams.exe", "*\\msedgewebview2.exe", "*\\MicrosoftEdge*"))
| eval Platform=if(match(TargetFilename, "Slack"), "Slack", "Teams")
| eval AlertType="ChatApp_LocalDB_Access"
| table _time, host, User, Image, TargetFilename, Platform, AlertType
)
OR
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (CommandLine="*api.slack.com*" AND (CommandLine="*xoxb-*" OR CommandLine="*xoxp-*" OR CommandLine="*token=*"))
    OR
    (CommandLine="*graph.microsoft.com*" AND CommandLine="*chats*" AND CommandLine="*Bearer*")
  )
| eval AlertType="ChatAPI_TokenUse"
| table _time, host, User, Image, CommandLine, AlertType
)
OR
(
  sourcetype="o365:management:activity"
  Workload="MicrosoftTeams"
  Operation IN ("MessageSentEvent", "ChatMessageCreatedEvent")
  UserId!='app@sharepoint'
| eval AlertType="Teams_Message_Audit"
| stats count as MsgCount, values(UserId) as Users by ClientIP, span(_time, 5m)
| where MsgCount >= 50  // Bulk message access/export
| table _time, ClientIP, Users, MsgCount, AlertType
)
| sort - _time

high severity medium confidence

Data Sources

File: File Access Process: Process Creation Office 365 Audit Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational o365:management:activity

False Positives

Backup agents reading chat application local storage
Enterprise compliance/DLP tools scanning chat data
IT support tools accessing Teams/Slack logs
Legitimate third-party integrations accessing local storage
Automated testing frameworks accessing chat data

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [file where event.action in ("open", "read") and
   (
     file.path like~ "*\\Slack\\storage\\*" or
     file.path like~ "*\\Slack\\logs\\*" or
     file.path like~ "*\\Slack\\Cache\\*" or
     file.path like~ "*\\Microsoft\\Teams\\Local Storage\\*" or
     file.path like~ "*\\Teams\\Blob_storage\\*" or
     file.path like~ "*\\Teams\\LocalDb\\*"
   ) and
   not process.name in~ ("Slack.exe", "Teams.exe", "msedgewebview2.exe", "chrome.exe", "slack", "teams", "electron")]

any where true

| sequence by host.name with maxspan=1m
  [file where event.action in ("open", "read") and
   (file.name like~ "*token*" or file.name like~ "*session*" or file.name like~ "*cookies*") and
   (file.path like~ "*\\Slack\\*" or file.path like~ "*\\Teams\\*" or file.path like~ "*\\Discord\\*") and
   not process.name in~ ("Slack.exe", "Teams.exe", "Discord.exe", "slack", "teams", "discord")]

| any where
  (
    process.command_line like~ "*slack.com/api*" or
    process.command_line like~ "*api.slack.com*" or
    process.command_line like~ "*graph.microsoft.com*chats*"
  ) and
  (
    process.command_line like~ "*xoxb-*" or
    process.command_line like~ "*xoxp-*" or
    process.command_line like~ "*Bearer*" or
    process.command_line like~ "*token=*"
  )

high severity medium confidence

Data Sources

Endpoint agent (Elastic Agent/Auditbeat) Windows file and process telemetry Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

Backup or disk imaging tools (e.g. Veeam, Acronis, robocopy scripts) legitimately read chat app directories during system backup jobs
Security products such as EDR agents, DLP tools, or AV scanners that enumerate user profile directories including Slack/Teams storage paths during scheduled scans
IT support scripts using PowerShell or curl to query Teams Graph API with delegated tokens during legitimate helpdesk automation workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "FileName" AS file_name,
  "FilePath" AS file_path,
  "ParentImage" AS parent_process,
  "CommandLine" AS command_line,
  CATEGORYNAME(category) AS category_name
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 352)  -- Sysmon / Windows Security
  AND devicetime > NOW() - 86400000
  AND (
    -- Pattern 1: Slack/Teams local storage file access by non-native process (Sysmon EventID 11)
    (
      qid = 5000011  -- Sysmon File Created / accessed
      AND (
        "TargetFilename" ILIKE '%\Slack\storage\%'
        OR "TargetFilename" ILIKE '%\Slack\logs\%'
        OR "TargetFilename" ILIKE '%\Slack\Cache\%'
        OR "TargetFilename" ILIKE '%\Teams\LocalDb\%'
        OR "TargetFilename" ILIKE '%\Teams\Blob_storage\%'
        OR "TargetFilename" ILIKE '%Microsoft\Teams\Local Storage\%'
      )
      AND "Image" NOT ILIKE '%\Slack.exe'
      AND "Image" NOT ILIKE '%\Teams.exe'
      AND "Image" NOT ILIKE '%\msedgewebview2.exe'
      AND "Image" NOT ILIKE '%\electron.exe'
    )
    OR
    -- Pattern 2: Token/session/cookie file access in chat app directories
    (
      qid = 5000011
      AND (
        "TargetFilename" ILIKE '%token%'
        OR "TargetFilename" ILIKE '%session%'
        OR "TargetFilename" ILIKE '%cookies%'
      )
      AND (
        "TargetFilename" ILIKE '%\Slack\%'
        OR "TargetFilename" ILIKE '%\Teams\%'
        OR "TargetFilename" ILIKE '%\Discord\%'
      )
      AND "Image" NOT ILIKE '%\Slack.exe'
      AND "Image" NOT ILIKE '%\Teams.exe'
      AND "Image" NOT ILIKE '%\Discord.exe'
    )
    OR
    -- Pattern 3: Process launching with chat API token in command line (Sysmon EventID 1)
    (
      qid = 5000001  -- Sysmon Process Create
      AND (
        "CommandLine" ILIKE '%slack.com/api%'
        OR "CommandLine" ILIKE '%api.slack.com%'
        OR "CommandLine" ILIKE '%graph.microsoft.com%chats%'
      )
      AND (
        "CommandLine" ILIKE '%xoxb-%'
        OR "CommandLine" ILIKE '%xoxp-%'
        OR "CommandLine" ILIKE '%Bearer%'
        OR "CommandLine" ILIKE '%token=%'
      )
    )
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

QRadar with Sysmon Windows DSM Windows Security Event log DSM Microsoft Sysmon Universal DSM

Required Tables

events

False Positives

Enterprise search indexing tools (e.g. Elastic Enterprise Search, Microsoft Search) that crawl local user profile directories including chat app storage folders
Automated credential rotation scripts run by IT that legitimately authenticate to Teams Graph API using service principal bearer tokens
Forensic imaging or eDiscovery tools run by legal/compliance teams that access Slack/Teams local databases for legitimate investigation

Sumo Logic CSE

sql

// Pattern 1 & 2: Slack/Teams local storage access + token file access by unauthorized processes
(_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/sysmon")
| where EventID = "11"
| parse field=Message "TargetFilename: *" as target_filename
| parse field=Message "Image: *" as process_image
| parse field=Message "User: *" as user
| where (
    target_filename matches "*\\Slack\\storage\\*" OR
    target_filename matches "*\\Slack\\logs\\*" OR
    target_filename matches "*\\Slack\\Cache\\*" OR
    target_filename matches "*\\Teams\\LocalDb\\*" OR
    target_filename matches "*\\Teams\\Blob_storage\\*" OR
    target_filename matches "*\\Microsoft\\Teams\\Local Storage\\*" OR
    (
      (target_filename matches "*token*" OR target_filename matches "*session*" OR target_filename matches "*cookies*")
      AND (target_filename matches "*\\Slack\\*" OR target_filename matches "*\\Teams\\*" OR target_filename matches "*\\Discord\\*")
    )
  )
| where !(process_image matches "*\\Slack.exe" OR
           process_image matches "*\\Teams.exe" OR
           process_image matches "*\\msedgewebview2.exe" OR
           process_image matches "*\\electron.exe" OR
           process_image matches "*\\Discord.exe" OR
           process_image matches "*\\chrome.exe")
| eval alert_type = "ChatApp_Storage_Access"
| eval platform = if(target_filename matches "*Slack*", "Slack", if(target_filename matches "*Teams*", "Teams", "Other"))
| fields _sourceHost, user, process_image, target_filename, platform, alert_type

// Pattern 3: Chat API token usage in command line
| union (
  (_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/sysmon")
  | where EventID = "1"
  | parse field=Message "CommandLine: *" as command_line
  | parse field=Message "Image: *" as process_image
  | parse field=Message "User: *" as user
  | where (
      command_line matches "*slack.com/api*" OR
      command_line matches "*api.slack.com*" OR
      (command_line matches "*graph.microsoft.com*" AND command_line matches "*chats*")
    )
  | where (
      command_line matches "*xoxb-*" OR
      command_line matches "*xoxp-*" OR
      command_line matches "*Bearer*" OR
      command_line matches "*token=*"
    )
  | eval alert_type = "ChatAPI_Token_In_CommandLine"
  | fields _sourceHost, user, process_image, command_line, alert_type
)
| sort by _messagetime desc

high severity medium confidence

Data Sources

Sysmon for Windows (forwarded to Sumo Logic) Windows Event Log via Installed Collector Sumo Logic Cloud SIEM Enterprise

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=endpoint/sysmon

False Positives

Authorized IT monitoring scripts that use PowerShell with stored service tokens to poll Teams Graph API for compliance reporting or user activity analytics
Third-party chat archival platforms (e.g. Theta Lake, Smarsh) that may access local Slack or Teams cache files as part of their licensed capture agents
Browser-based password managers or sync tools that read cookie/session files from application directories including chat clients as part of their normal operation

Google Chronicle / SecOps

yaral

rule t1552_008_chat_messages_credential_theft {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1552.008 Chat Messages - adversaries reading Slack/Teams local storage or using chat API tokens to harvest credentials from corporate messaging platforms"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.008"
    reference = "https://attack.mitre.org/techniques/T1552/008/"
    version = "1.0"
    created = "2026-04-20"

  events:
    // Pattern 1: Non-chat process accessing Slack or Teams local storage
    $file_access.metadata.event_type = "FILE_OPEN"
    $file_access.principal.hostname = $hostname
    (
      re.regex($file_access.target.file.full_path, `(?i)\\Slack\\(storage|logs|Cache)\\`) or
      re.regex($file_access.target.file.full_path, `(?i)\\(Microsoft\\)?Teams\\(Local Storage|Blob_storage|LocalDb)\\`)
    )
    not re.regex($file_access.principal.process.file.full_path, `(?i)(slack|teams|electron|msedgewebview2|chrome)\.exe$`)

  match:
    $hostname over 5m

  condition:
    $file_access
}

rule t1552_008_chat_token_file_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1552.008 - unauthorized processes accessing token/session/cookie files within Slack, Teams, or Discord application directories"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.008"
    reference = "https://attack.mitre.org/techniques/T1552/008/"
    version = "1.0"
    created = "2026-04-20"

  events:
    $token_access.metadata.event_type = "FILE_OPEN"
    $token_access.principal.hostname = $hostname
    re.regex($token_access.target.file.full_path, `(?i)\\(Slack|Teams|Discord)\\`)
    re.regex($token_access.target.file.full_path, `(?i)(token|session|cookies)`)
    not re.regex($token_access.principal.process.file.full_path, `(?i)(slack|teams|discord|zoom)\.exe$`)

  match:
    $hostname over 5m

  condition:
    $token_access
}

rule t1552_008_chat_api_token_commandline {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1552.008 - command-line execution referencing Slack or Teams API endpoints with embedded authentication tokens (xoxb, xoxp, Bearer)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.008"
    reference = "https://attack.mitre.org/techniques/T1552/008/"
    version = "1.0"
    created = "2026-04-20"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname = $hostname
    (
      re.regex($proc.target.process.command_line, `(?i)(slack\.com/api|api\.slack\.com)`) or
      re.regex($proc.target.process.command_line, `(?i)graph\.microsoft\.com.{0,50}chats`)
    )
    (
      re.regex($proc.target.process.command_line, `xox[bpa]-[A-Za-z0-9\-]+`) or
      re.regex($proc.target.process.command_line, `(?i)Bearer\s+[A-Za-z0-9\._\-]+`) or
      re.regex($proc.target.process.command_line, `(?i)token=[A-Za-z0-9\._\-]+`)
    )

  match:
    $hostname over 5m

  condition:
    $proc
}

high severity medium confidence

Data Sources

Chronicle UDM with endpoint telemetry Windows Defender ATP via Chronicle ingestion Sysmon events ingested to Chronicle

Required Tables

FILE_OPEN UDM events PROCESS_LAUNCH UDM events

False Positives

Cloud sync agents (OneDrive, Dropbox) that traverse user profile directories including Teams/Slack storage paths as part of selective sync or change detection operations
Enterprise MDM or endpoint management tools (Intune, SCCM) that read application data directories during compliance scans or inventory collection
Developer tools or CI/CD pipelines using Slack or Teams webhook/bot tokens in scripts for legitimate notification automation, where tokens are passed as command-line arguments

CrowdStrike LogScale (CQL)

cql

// Pattern 1 & 2: Slack/Teams local storage and token file access by non-chat processes
#event_simpleName = "GenericFileWrite" OR #event_simpleName = "GenericFileRead"
| TargetFileName = /(?i)(\\Slack\\(storage|logs|Cache|slack-store)|\\Microsoft?\\Teams\\(Local Storage|Blob_storage|LocalDb))/
  OR (TargetFileName = /(?i)(token|session|cookies)/ AND TargetFileName = /(?i)\\(Slack|Teams|Discord)\\/)
| ImageFileName != /(?i)(Slack|Teams|msedgewebview2|electron|chrome|Discord|Zoom)\.exe$/
| eval Platform = if(TargetFileName = /(?i)Slack/, "Slack",
    if(TargetFileName = /(?i)Teams/, "Teams",
    if(TargetFileName = /(?i)Discord/, "Discord", "Other")))
| eval AlertType = "ChatApp_Storage_Access"
| groupBy([ComputerName, UserName, ImageFileName, TargetFileName, Platform, AlertType], function=count(1, as=AccessCount))
| sort(AccessCount, order=desc)

// Pattern 3: Chat API token usage in command-line arguments
| union (
  #event_simpleName = "ProcessRollup2"
  | CommandLine = /(?i)(slack\.com\/api|api\.slack\.com|graph\.microsoft\.com.*chats)/
  | CommandLine = /(?i)(xoxb-[A-Za-z0-9\-]+|xoxp-[A-Za-z0-9\-]+|Bearer\s+[A-Za-z0-9\._\-]+|token=[A-Za-z0-9\._\-]+)/
  | eval AlertType = "ChatAPI_Token_CommandLine"
  | groupBy([ComputerName, UserName, FileName, CommandLine, AlertType], function=count(1, as=ExecCount))
  | sort(ExecCount, order=desc)
)

// Enrichment: Correlate offending process with parent context
| join(
  #event_simpleName = "ProcessRollup2"
  | groupBy([TargetProcessId, ComputerName], function=selectLast([ParentBaseFileName, GrandParentBaseFileName]))
  , field=[ComputerName], key=[ComputerName]
)
| table([timestamp, ComputerName, UserName, ImageFileName, TargetFileName, CommandLine, Platform, AlertType, ParentBaseFileName, GrandParentBaseFileName, AccessCount])

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR sensor Falcon for Microsoft Teams (O365) CrowdStrike Humio/LogScale SIEM

Required Tables

#event_simpleName=GenericFileRead #event_simpleName=GenericFileWrite #event_simpleName=ProcessRollup2

False Positives

Falcon's own telemetry collection process may appear to read chat app directories during artifact collection triggered by detections, generating self-referential alerts
Workplace analytics tools (e.g. Microsoft Viva Insights, ActivTrak) that legitimately access Teams metadata or local storage to measure collaboration patterns under an enterprise license
Automated testing frameworks or integration test suites that invoke Slack/Teams APIs with real tokens during CI pipeline execution on developer workstations

Last updated: 2026-04-20 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1552.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In Files T1552.002Credentials in Registry T1552.003Bash History T1552.004Private Keys T1552.005Cloud Instance Metadata API T1552.006Group Policy Preferences T1552.007Container API

Chat Messages

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections