Detect Chat Messages in IBM QRadar
Adversaries may directly collect unsecured credentials stored or passed through user communication services. Corporate chat tools including Slack, Microsoft Teams, Jira, Confluence, and email frequently contain credentials shared between employees — API keys, passwords, database connection strings, SSH keys, and authentication tokens. LAPSUS$ specifically targeted Slack, Teams, JIRA, and Confluence to hunt for exposed credentials supporting privilege escalation and lateral movement. Adversaries may access stored chat logs on endpoints, query chat APIs with compromised tokens, compromise Slack integrations/bots, or search through message history for sensitive content.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.008 Chat Messages
- Canonical reference
- https://attack.mitre.org/techniques/T1552/008/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
sourceip,
username,
QIDNAME(qid) AS event_name,
"FileName" AS file_name,
"FilePath" AS file_path,
"ParentImage" AS parent_process,
"CommandLine" AS command_line,
CATEGORYNAME(category) AS category_name
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) IN (12, 352) -- Sysmon / Windows Security
AND devicetime > NOW() - 86400000
AND (
-- Pattern 1: Slack/Teams local storage file access by non-native process (Sysmon EventID 11)
(
qid = 5000011 -- Sysmon File Created / accessed
AND (
"TargetFilename" ILIKE '%\Slack\storage\%'
OR "TargetFilename" ILIKE '%\Slack\logs\%'
OR "TargetFilename" ILIKE '%\Slack\Cache\%'
OR "TargetFilename" ILIKE '%\Teams\LocalDb\%'
OR "TargetFilename" ILIKE '%\Teams\Blob_storage\%'
OR "TargetFilename" ILIKE '%Microsoft\Teams\Local Storage\%'
)
AND "Image" NOT ILIKE '%\Slack.exe'
AND "Image" NOT ILIKE '%\Teams.exe'
AND "Image" NOT ILIKE '%\msedgewebview2.exe'
AND "Image" NOT ILIKE '%\electron.exe'
)
OR
-- Pattern 2: Token/session/cookie file access in chat app directories
(
qid = 5000011
AND (
"TargetFilename" ILIKE '%token%'
OR "TargetFilename" ILIKE '%session%'
OR "TargetFilename" ILIKE '%cookies%'
)
AND (
"TargetFilename" ILIKE '%\Slack\%'
OR "TargetFilename" ILIKE '%\Teams\%'
OR "TargetFilename" ILIKE '%\Discord\%'
)
AND "Image" NOT ILIKE '%\Slack.exe'
AND "Image" NOT ILIKE '%\Teams.exe'
AND "Image" NOT ILIKE '%\Discord.exe'
)
OR
-- Pattern 3: Process launching with chat API token in command line (Sysmon EventID 1)
(
qid = 5000001 -- Sysmon Process Create
AND (
"CommandLine" ILIKE '%slack.com/api%'
OR "CommandLine" ILIKE '%api.slack.com%'
OR "CommandLine" ILIKE '%graph.microsoft.com%chats%'
)
AND (
"CommandLine" ILIKE '%xoxb-%'
OR "CommandLine" ILIKE '%xoxp-%'
OR "CommandLine" ILIKE '%Bearer%'
OR "CommandLine" ILIKE '%token=%'
)
)
)
ORDER BY devicetime DESCQRadar AQL query detecting T1552.008 Chat Messages credential theft across three patterns: unauthorized file access to Slack/Teams local storage (Sysmon EventID 11), token/session/cookie file access from chat application directories by non-native processes, and process creation events (Sysmon EventID 1) where the command line contains Slack or Teams API endpoints combined with token strings (xoxb, xoxp, Bearer). Targets Sysmon log sources forwarded to QRadar.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise search indexing tools (e.g. Elastic Enterprise Search, Microsoft Search) that crawl local user profile directories including chat app storage folders
- Automated credential rotation scripts run by IT that legitimately authenticate to Teams Graph API using service principal bearer tokens
- Forensic imaging or eDiscovery tools run by legal/compliance teams that access Slack/Teams local databases for legitimate investigation
Other platforms for T1552.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Access Slack Local Storage Database
Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Slack\storage path. Sysmon Event ID 11: file access events for Slack storage files. Process parent chain visible in event.
- Test 2Extract Teams Session Cookies
Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Teams Cookies path. Sysmon Event ID 11: file access for Teams Cookies file.
- Test 3Query Slack API for Messages
Expected signal: Linux auditd EXECVE for curl with api.slack.com and xoxb- token. HTTPS connection to slack.com:443. Network connection event with slack.com as destination.
- Test 4Search Jira/Confluence for Credentials
Expected signal: Linux auditd EXECVE for curl with atlassian.net URL and Bearer token. HTTPS connection to atlassian.net:443. Response contains Jira tickets with credential content.
References (7)
- https://attack.mitre.org/techniques/T1552/008/
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://api.slack.com/authentication/token-types
- https://learn.microsoft.com/en-us/graph/api/chatmessage-list
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.008/T1552.008.md
- https://www.csoonline.com/article/3649561/lapsus-group-profile-data-extortion-as-a-business.html
- https://api.slack.com/enterprise/audit-logs
Unlock Pro Content
Get the full detection package for T1552.008 including response playbook, investigation guide, and atomic red team tests.