T1552.008 Elastic Security · Elastic

Detect Chat Messages in Elastic Security

Adversaries may directly collect unsecured credentials stored or passed through user communication services. Corporate chat tools including Slack, Microsoft Teams, Jira, Confluence, and email frequently contain credentials shared between employees — API keys, passwords, database connection strings, SSH keys, and authentication tokens. LAPSUS$ specifically targeted Slack, Teams, JIRA, and Confluence to hunt for exposed credentials supporting privilege escalation and lateral movement. Adversaries may access stored chat logs on endpoints, query chat APIs with compromised tokens, compromise Slack integrations/bots, or search through message history for sensitive content.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.008 Chat Messages
Canonical reference
https://attack.mitre.org/techniques/T1552/008/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [file where event.action in ("open", "read") and
   (
     file.path like~ "*\\Slack\\storage\\*" or
     file.path like~ "*\\Slack\\logs\\*" or
     file.path like~ "*\\Slack\\Cache\\*" or
     file.path like~ "*\\Microsoft\\Teams\\Local Storage\\*" or
     file.path like~ "*\\Teams\\Blob_storage\\*" or
     file.path like~ "*\\Teams\\LocalDb\\*"
   ) and
   not process.name in~ ("Slack.exe", "Teams.exe", "msedgewebview2.exe", "chrome.exe", "slack", "teams", "electron")]

any where true

| sequence by host.name with maxspan=1m
  [file where event.action in ("open", "read") and
   (file.name like~ "*token*" or file.name like~ "*session*" or file.name like~ "*cookies*") and
   (file.path like~ "*\\Slack\\*" or file.path like~ "*\\Teams\\*" or file.path like~ "*\\Discord\\*") and
   not process.name in~ ("Slack.exe", "Teams.exe", "Discord.exe", "slack", "teams", "discord")]

| any where
  (
    process.command_line like~ "*slack.com/api*" or
    process.command_line like~ "*api.slack.com*" or
    process.command_line like~ "*graph.microsoft.com*chats*"
  ) and
  (
    process.command_line like~ "*xoxb-*" or
    process.command_line like~ "*xoxp-*" or
    process.command_line like~ "*Bearer*" or
    process.command_line like~ "*token=*"
  )
high severity medium confidence

Detects three patterns of T1552.008 Chat Messages credential theft: (1) non-chat processes reading Slack or Teams local storage/cache directories, (2) unauthorized processes accessing token/session/cookie files from chat application directories, and (3) command-line API calls to Slack or Microsoft Graph chat endpoints using bearer tokens or Slack API token prefixes (xoxb/xoxp). Uses ECS fields across file and process event categories.

Data Sources

Endpoint agent (Elastic Agent/Auditbeat)Windows file and process telemetrySysmon via Winlogbeat

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.process-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • Backup or disk imaging tools (e.g. Veeam, Acronis, robocopy scripts) legitimately read chat app directories during system backup jobs
  • Security products such as EDR agents, DLP tools, or AV scanners that enumerate user profile directories including Slack/Teams storage paths during scheduled scans
  • IT support scripts using PowerShell or curl to query Teams Graph API with delegated tokens during legitimate helpdesk automation workflows
Download portable Sigma rule (.yml)

Other platforms for T1552.008

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Access Slack Local Storage Database

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Slack\storage path. Sysmon Event ID 11: file access events for Slack storage files. Process parent chain visible in event.

  2. Test 2Extract Teams Session Cookies

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Teams Cookies path. Sysmon Event ID 11: file access for Teams Cookies file.

  3. Test 3Query Slack API for Messages

    Expected signal: Linux auditd EXECVE for curl with api.slack.com and xoxb- token. HTTPS connection to slack.com:443. Network connection event with slack.com as destination.

  4. Test 4Search Jira/Confluence for Credentials

    Expected signal: Linux auditd EXECVE for curl with atlassian.net URL and Bearer token. HTTPS connection to atlassian.net:443. Response contains Jira tickets with credential content.

Last updated: 2026-04-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.007Container API

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1539Steal Web Session CookieT1528Steal Application Access TokenT1567.003Exfiltration to Text Storage SitesT1119Automated CollectionT1113Screen Capture

Same Tactic: Credential Access

Popular Detections