Detect Chat Messages in Microsoft Sentinel
Adversaries may directly collect unsecured credentials stored or passed through user communication services. Corporate chat tools including Slack, Microsoft Teams, Jira, Confluence, and email frequently contain credentials shared between employees — API keys, passwords, database connection strings, SSH keys, and authentication tokens. LAPSUS$ specifically targeted Slack, Teams, JIRA, and Confluence to hunt for exposed credentials supporting privilege escalation and lateral movement. Adversaries may access stored chat logs on endpoints, query chat APIs with compromised tokens, compromise Slack integrations/bots, or search through message history for sensitive content.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.008 Chat Messages
- Canonical reference
- https://attack.mitre.org/techniques/T1552/008/
KQL Detection Query
// Detect suspicious access to chat application data and credential search
DeviceFileEvents
| where Timestamp > ago(24h)
// Pattern 1: Access to Slack desktop app local data
| where (
FolderPath has_any ("Slack\\storage", "Slack\\logs", "slack-store", "Slack\\Cache")
or FolderPath has_any ("Teams\\LocalDb", "Teams\\Blob_storage",
"Microsoft\\Teams\\Local Storage",
"Microsoft\\Teams\\databases")
)
| where ActionType in ("FileRead", "FileAccessed")
| where InitiatingProcessFileName !in~ ("Slack.exe", "Teams.exe", "msedgewebview2.exe",
"chrome.exe", "slack", "teams", "electron")
| extend Platform = case(
FolderPath has "Slack", "Slack",
FolderPath has "Teams", "Teams",
"Unknown"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
InitiatingProcessFileName, Platform
| union (
// Pattern 2: Chat app token/session file access
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any ("token", "session", "cookies")
and FolderPath has_any ("Slack", "Teams", "Discord", "Zoom")
| where ActionType in ("FileRead", "FileAccessed")
| where InitiatingProcessFileName !in~ ("Slack.exe", "Teams.exe", "Discord.exe",
"Zoom.exe", "slack", "teams", "discord")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
InitiatingProcessFileName
)
| union (
// Pattern 3: Slack/Teams API token usage via curl or PowerShell
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"slack.com/api", "graph.microsoft.com/v1.0/chats",
"teams.microsoft.com", "api.slack.com"
)
| where ProcessCommandLine has_any ("token", "Bearer", "xoxb", "xoxp", "xoxa")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
)
| sort by Timestamp descDetects chat application credential access via three patterns: unexpected process access to Slack and Teams local storage databases (which contain message history and tokens); chat application token/session/cookie file access by non-chat processes; and API calls to Slack or Microsoft Graph chat APIs using bearer tokens from CLI tools (curl, PowerShell). Covers credential theft from both Slack and Microsoft Teams.
Data Sources
Required Tables
False Positives & Tuning
- Backup agents reading chat application local storage as part of user data backup
- Enterprise compliance and DLP tools scanning chat application data for sensitive information
- IT support tools that access Teams/Slack logs for troubleshooting purposes
- Browser extensions or third-party integrations that legitimately access Slack/Teams local storage
- Automated testing frameworks that access chat application data during end-to-end testing
Other platforms for T1552.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Access Slack Local Storage Database
Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Slack\storage path. Sysmon Event ID 11: file access events for Slack storage files. Process parent chain visible in event.
- Test 2Extract Teams Session Cookies
Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Teams Cookies path. Sysmon Event ID 11: file access for Teams Cookies file.
- Test 3Query Slack API for Messages
Expected signal: Linux auditd EXECVE for curl with api.slack.com and xoxb- token. HTTPS connection to slack.com:443. Network connection event with slack.com as destination.
- Test 4Search Jira/Confluence for Credentials
Expected signal: Linux auditd EXECVE for curl with atlassian.net URL and Bearer token. HTTPS connection to atlassian.net:443. Response contains Jira tickets with credential content.
References (7)
- https://attack.mitre.org/techniques/T1552/008/
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://api.slack.com/authentication/token-types
- https://learn.microsoft.com/en-us/graph/api/chatmessage-list
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.008/T1552.008.md
- https://www.csoonline.com/article/3649561/lapsus-group-profile-data-extortion-as-a-business.html
- https://api.slack.com/enterprise/audit-logs
Unlock Pro Content
Get the full detection package for T1552.008 including response playbook, investigation guide, and atomic red team tests.