Detect Chat Messages in CrowdStrike LogScale
Adversaries may directly collect unsecured credentials stored or passed through user communication services. Corporate chat tools including Slack, Microsoft Teams, Jira, Confluence, and email frequently contain credentials shared between employees — API keys, passwords, database connection strings, SSH keys, and authentication tokens. LAPSUS$ specifically targeted Slack, Teams, JIRA, and Confluence to hunt for exposed credentials supporting privilege escalation and lateral movement. Adversaries may access stored chat logs on endpoints, query chat APIs with compromised tokens, compromise Slack integrations/bots, or search through message history for sensitive content.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.008 Chat Messages
- Canonical reference
- https://attack.mitre.org/techniques/T1552/008/
LogScale Detection Query
// Pattern 1 & 2: Slack/Teams local storage and token file access by non-chat processes
#event_simpleName = "GenericFileWrite" OR #event_simpleName = "GenericFileRead"
| TargetFileName = /(?i)(\\Slack\\(storage|logs|Cache|slack-store)|\\Microsoft?\\Teams\\(Local Storage|Blob_storage|LocalDb))/
OR (TargetFileName = /(?i)(token|session|cookies)/ AND TargetFileName = /(?i)\\(Slack|Teams|Discord)\\/)
| ImageFileName != /(?i)(Slack|Teams|msedgewebview2|electron|chrome|Discord|Zoom)\.exe$/
| eval Platform = if(TargetFileName = /(?i)Slack/, "Slack",
if(TargetFileName = /(?i)Teams/, "Teams",
if(TargetFileName = /(?i)Discord/, "Discord", "Other")))
| eval AlertType = "ChatApp_Storage_Access"
| groupBy([ComputerName, UserName, ImageFileName, TargetFileName, Platform, AlertType], function=count(1, as=AccessCount))
| sort(AccessCount, order=desc)
// Pattern 3: Chat API token usage in command-line arguments
| union (
#event_simpleName = "ProcessRollup2"
| CommandLine = /(?i)(slack\.com\/api|api\.slack\.com|graph\.microsoft\.com.*chats)/
| CommandLine = /(?i)(xoxb-[A-Za-z0-9\-]+|xoxp-[A-Za-z0-9\-]+|Bearer\s+[A-Za-z0-9\._\-]+|token=[A-Za-z0-9\._\-]+)/
| eval AlertType = "ChatAPI_Token_CommandLine"
| groupBy([ComputerName, UserName, FileName, CommandLine, AlertType], function=count(1, as=ExecCount))
| sort(ExecCount, order=desc)
)
// Enrichment: Correlate offending process with parent context
| join(
#event_simpleName = "ProcessRollup2"
| groupBy([TargetProcessId, ComputerName], function=selectLast([ParentBaseFileName, GrandParentBaseFileName]))
, field=[ComputerName], key=[ComputerName]
)
| table([timestamp, ComputerName, UserName, ImageFileName, TargetFileName, CommandLine, Platform, AlertType, ParentBaseFileName, GrandParentBaseFileName, AccessCount])CrowdStrike LogScale (CQL) detection for T1552.008 Chat Messages using Falcon endpoint telemetry. Pattern 1/2 use GenericFileRead/GenericFileWrite events to detect non-chat processes accessing Slack local storage, Teams blob storage/LocalDb, or token/session/cookie files within chat application directories. Pattern 3 uses ProcessRollup2 events to detect command-line execution referencing Slack or Teams APIs with embedded OAuth tokens (xoxb/xoxp prefix) or Bearer auth strings. Results are enriched with parent and grandparent process context for triage.
Data Sources
Required Tables
False Positives & Tuning
- Falcon's own telemetry collection process may appear to read chat app directories during artifact collection triggered by detections, generating self-referential alerts
- Workplace analytics tools (e.g. Microsoft Viva Insights, ActivTrak) that legitimately access Teams metadata or local storage to measure collaboration patterns under an enterprise license
- Automated testing frameworks or integration test suites that invoke Slack/Teams APIs with real tokens during CI pipeline execution on developer workstations
Other platforms for T1552.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Access Slack Local Storage Database
Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Slack\storage path. Sysmon Event ID 11: file access events for Slack storage files. Process parent chain visible in event.
- Test 2Extract Teams Session Cookies
Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Teams Cookies path. Sysmon Event ID 11: file access for Teams Cookies file.
- Test 3Query Slack API for Messages
Expected signal: Linux auditd EXECVE for curl with api.slack.com and xoxb- token. HTTPS connection to slack.com:443. Network connection event with slack.com as destination.
- Test 4Search Jira/Confluence for Credentials
Expected signal: Linux auditd EXECVE for curl with atlassian.net URL and Bearer token. HTTPS connection to atlassian.net:443. Response contains Jira tickets with credential content.
References (7)
- https://attack.mitre.org/techniques/T1552/008/
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://api.slack.com/authentication/token-types
- https://learn.microsoft.com/en-us/graph/api/chatmessage-list
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.008/T1552.008.md
- https://www.csoonline.com/article/3649561/lapsus-group-profile-data-extortion-as-a-business.html
- https://api.slack.com/enterprise/audit-logs
Unlock Pro Content
Get the full detection package for T1552.008 including response playbook, investigation guide, and atomic red team tests.