T1552.008 Splunk · SPL

Detect Chat Messages in Splunk

Adversaries may directly collect unsecured credentials stored or passed through user communication services. Corporate chat tools including Slack, Microsoft Teams, Jira, Confluence, and email frequently contain credentials shared between employees — API keys, passwords, database connection strings, SSH keys, and authentication tokens. LAPSUS$ specifically targeted Slack, Teams, JIRA, and Confluence to hunt for exposed credentials supporting privilege escalation and lateral movement. Adversaries may access stored chat logs on endpoints, query chat APIs with compromised tokens, compromise Slack integrations/bots, or search through message history for sensitive content.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.008 Chat Messages
Canonical reference
https://attack.mitre.org/techniques/T1552/008/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog OR index=o365 (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="o365:management:activity")
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (
    (TargetFilename="*\\Slack\\storage\\*" OR TargetFilename="*\\Slack\\logs\\*")
    OR
    (TargetFilename="*\\Microsoft\\Teams\\Local Storage\\*" OR TargetFilename="*\\Teams\\Blob_storage\\*")
  )
  NOT (Image IN ("*\\Slack.exe", "*\\Teams.exe", "*\\msedgewebview2.exe", "*\\MicrosoftEdge*"))
| eval Platform=if(match(TargetFilename, "Slack"), "Slack", "Teams")
| eval AlertType="ChatApp_LocalDB_Access"
| table _time, host, User, Image, TargetFilename, Platform, AlertType
)
OR
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (CommandLine="*api.slack.com*" AND (CommandLine="*xoxb-*" OR CommandLine="*xoxp-*" OR CommandLine="*token=*"))
    OR
    (CommandLine="*graph.microsoft.com*" AND CommandLine="*chats*" AND CommandLine="*Bearer*")
  )
| eval AlertType="ChatAPI_TokenUse"
| table _time, host, User, Image, CommandLine, AlertType
)
OR
(
  sourcetype="o365:management:activity"
  Workload="MicrosoftTeams"
  Operation IN ("MessageSentEvent", "ChatMessageCreatedEvent")
  UserId!='app@sharepoint'
| eval AlertType="Teams_Message_Audit"
| stats count as MsgCount, values(UserId) as Users by ClientIP, span(_time, 5m)
| where MsgCount >= 50  // Bulk message access/export
| table _time, ClientIP, Users, MsgCount, AlertType
)
| sort - _time
high severity medium confidence

Detects chat application credential access using Sysmon Event 11 for Slack and Teams local storage database access by unexpected processes, Sysmon Event 1 for direct chat API calls with authentication tokens, and O365 audit logs for bulk Teams message access (50+ messages in 5 minutes indicating programmatic data collection).

Data Sources

File: File AccessProcess: Process CreationOffice 365 Audit Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationalo365:management:activity

False Positives & Tuning

  • Backup agents reading chat application local storage
  • Enterprise compliance/DLP tools scanning chat data
  • IT support tools accessing Teams/Slack logs
  • Legitimate third-party integrations accessing local storage
  • Automated testing frameworks accessing chat data
Download portable Sigma rule (.yml)

Other platforms for T1552.008

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Access Slack Local Storage Database

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Slack\storage path. Sysmon Event ID 11: file access events for Slack storage files. Process parent chain visible in event.

  2. Test 2Extract Teams Session Cookies

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Teams Cookies path. Sysmon Event ID 11: file access for Teams Cookies file.

  3. Test 3Query Slack API for Messages

    Expected signal: Linux auditd EXECVE for curl with api.slack.com and xoxb- token. HTTPS connection to slack.com:443. Network connection event with slack.com as destination.

  4. Test 4Search Jira/Confluence for Credentials

    Expected signal: Linux auditd EXECVE for curl with atlassian.net URL and Bearer token. HTTPS connection to atlassian.net:443. Response contains Jira tickets with credential content.

Last updated: 2026-04-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.006Group Policy PreferencesT1552.007Container API

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1539Steal Web Session CookieT1528Steal Application Access TokenT1567.003Exfiltration to Text Storage SitesT1119Automated CollectionT1113Screen Capture

Same Tactic: Credential Access

Popular Detections