T1552.008 Google Chronicle · YARA-L

Detect Chat Messages in Google Chronicle

Adversaries may directly collect unsecured credentials stored or passed through user communication services. Corporate chat tools including Slack, Microsoft Teams, Jira, Confluence, and email frequently contain credentials shared between employees — API keys, passwords, database connection strings, SSH keys, and authentication tokens. LAPSUS$ specifically targeted Slack, Teams, JIRA, and Confluence to hunt for exposed credentials supporting privilege escalation and lateral movement. Adversaries may access stored chat logs on endpoints, query chat APIs with compromised tokens, compromise Slack integrations/bots, or search through message history for sensitive content.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.008 Chat Messages
Canonical reference
https://attack.mitre.org/techniques/T1552/008/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1552_008_chat_messages_credential_theft {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1552.008 Chat Messages - adversaries reading Slack/Teams local storage or using chat API tokens to harvest credentials from corporate messaging platforms"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.008"
    reference = "https://attack.mitre.org/techniques/T1552/008/"
    version = "1.0"
    created = "2026-04-20"

  events:
    // Pattern 1: Non-chat process accessing Slack or Teams local storage
    $file_access.metadata.event_type = "FILE_OPEN"
    $file_access.principal.hostname = $hostname
    (
      re.regex($file_access.target.file.full_path, `(?i)\\Slack\\(storage|logs|Cache)\\`) or
      re.regex($file_access.target.file.full_path, `(?i)\\(Microsoft\\)?Teams\\(Local Storage|Blob_storage|LocalDb)\\`)
    )
    not re.regex($file_access.principal.process.file.full_path, `(?i)(slack|teams|electron|msedgewebview2|chrome)\.exe$`)

  match:
    $hostname over 5m

  condition:
    $file_access
}

rule t1552_008_chat_token_file_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1552.008 - unauthorized processes accessing token/session/cookie files within Slack, Teams, or Discord application directories"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.008"
    reference = "https://attack.mitre.org/techniques/T1552/008/"
    version = "1.0"
    created = "2026-04-20"

  events:
    $token_access.metadata.event_type = "FILE_OPEN"
    $token_access.principal.hostname = $hostname
    re.regex($token_access.target.file.full_path, `(?i)\\(Slack|Teams|Discord)\\`)
    re.regex($token_access.target.file.full_path, `(?i)(token|session|cookies)`)
    not re.regex($token_access.principal.process.file.full_path, `(?i)(slack|teams|discord|zoom)\.exe$`)

  match:
    $hostname over 5m

  condition:
    $token_access
}

rule t1552_008_chat_api_token_commandline {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1552.008 - command-line execution referencing Slack or Teams API endpoints with embedded authentication tokens (xoxb, xoxp, Bearer)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.008"
    reference = "https://attack.mitre.org/techniques/T1552/008/"
    version = "1.0"
    created = "2026-04-20"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.hostname = $hostname
    (
      re.regex($proc.target.process.command_line, `(?i)(slack\.com/api|api\.slack\.com)`) or
      re.regex($proc.target.process.command_line, `(?i)graph\.microsoft\.com.{0,50}chats`)
    )
    (
      re.regex($proc.target.process.command_line, `xox[bpa]-[A-Za-z0-9\-]+`) or
      re.regex($proc.target.process.command_line, `(?i)Bearer\s+[A-Za-z0-9\._\-]+`) or
      re.regex($proc.target.process.command_line, `(?i)token=[A-Za-z0-9\._\-]+`)
    )

  match:
    $hostname over 5m

  condition:
    $proc
}
high severity medium confidence

Three Chronicle YARA-L 2.0 rules detecting T1552.008 Chat Messages credential theft: Rule 1 detects file open events where a non-chat process reads from Slack or Teams local storage, log, cache, or database directories. Rule 2 detects unauthorized process access to token/session/cookie files within Slack, Teams, or Discord directories. Rule 3 detects process launches where command-line arguments reference Slack or Teams API endpoints alongside embedded authentication token strings (xoxb/xoxp OAuth tokens or Bearer tokens).

Data Sources

Chronicle UDM with endpoint telemetryWindows Defender ATP via Chronicle ingestionSysmon events ingested to Chronicle

Required Tables

FILE_OPEN UDM eventsPROCESS_LAUNCH UDM events

False Positives & Tuning

  • Cloud sync agents (OneDrive, Dropbox) that traverse user profile directories including Teams/Slack storage paths as part of selective sync or change detection operations
  • Enterprise MDM or endpoint management tools (Intune, SCCM) that read application data directories during compliance scans or inventory collection
  • Developer tools or CI/CD pipelines using Slack or Teams webhook/bot tokens in scripts for legitimate notification automation, where tokens are passed as command-line arguments
Download portable Sigma rule (.yml)

Other platforms for T1552.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Access Slack Local Storage Database

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Slack\storage path. Sysmon Event ID 11: file access events for Slack storage files. Process parent chain visible in event.

  2. Test 2Extract Teams Session Cookies

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Teams Cookies path. Sysmon Event ID 11: file access for Teams Cookies file.

  3. Test 3Query Slack API for Messages

    Expected signal: Linux auditd EXECVE for curl with api.slack.com and xoxb- token. HTTPS connection to slack.com:443. Network connection event with slack.com as destination.

  4. Test 4Search Jira/Confluence for Credentials

    Expected signal: Linux auditd EXECVE for curl with atlassian.net URL and Bearer token. HTTPS connection to atlassian.net:443. Response contains Jira tickets with credential content.

Last updated: 2026-04-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.007Container API

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1539Steal Web Session CookieT1528Steal Application Access TokenT1567.003Exfiltration to Text Storage SitesT1119Automated CollectionT1113Screen Capture

Same Tactic: Credential Access

Popular Detections