Detect Chat Messages in Sumo Logic CSE
Adversaries may directly collect unsecured credentials stored or passed through user communication services. Corporate chat tools including Slack, Microsoft Teams, Jira, Confluence, and email frequently contain credentials shared between employees — API keys, passwords, database connection strings, SSH keys, and authentication tokens. LAPSUS$ specifically targeted Slack, Teams, JIRA, and Confluence to hunt for exposed credentials supporting privilege escalation and lateral movement. Adversaries may access stored chat logs on endpoints, query chat APIs with compromised tokens, compromise Slack integrations/bots, or search through message history for sensitive content.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.008 Chat Messages
- Canonical reference
- https://attack.mitre.org/techniques/T1552/008/
Sumo Detection Query
// Pattern 1 & 2: Slack/Teams local storage access + token file access by unauthorized processes
(_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/sysmon")
| where EventID = "11"
| parse field=Message "TargetFilename: *" as target_filename
| parse field=Message "Image: *" as process_image
| parse field=Message "User: *" as user
| where (
target_filename matches "*\\Slack\\storage\\*" OR
target_filename matches "*\\Slack\\logs\\*" OR
target_filename matches "*\\Slack\\Cache\\*" OR
target_filename matches "*\\Teams\\LocalDb\\*" OR
target_filename matches "*\\Teams\\Blob_storage\\*" OR
target_filename matches "*\\Microsoft\\Teams\\Local Storage\\*" OR
(
(target_filename matches "*token*" OR target_filename matches "*session*" OR target_filename matches "*cookies*")
AND (target_filename matches "*\\Slack\\*" OR target_filename matches "*\\Teams\\*" OR target_filename matches "*\\Discord\\*")
)
)
| where !(process_image matches "*\\Slack.exe" OR
process_image matches "*\\Teams.exe" OR
process_image matches "*\\msedgewebview2.exe" OR
process_image matches "*\\electron.exe" OR
process_image matches "*\\Discord.exe" OR
process_image matches "*\\chrome.exe")
| eval alert_type = "ChatApp_Storage_Access"
| eval platform = if(target_filename matches "*Slack*", "Slack", if(target_filename matches "*Teams*", "Teams", "Other"))
| fields _sourceHost, user, process_image, target_filename, platform, alert_type
// Pattern 3: Chat API token usage in command line
| union (
(_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/sysmon")
| where EventID = "1"
| parse field=Message "CommandLine: *" as command_line
| parse field=Message "Image: *" as process_image
| parse field=Message "User: *" as user
| where (
command_line matches "*slack.com/api*" OR
command_line matches "*api.slack.com*" OR
(command_line matches "*graph.microsoft.com*" AND command_line matches "*chats*")
)
| where (
command_line matches "*xoxb-*" OR
command_line matches "*xoxp-*" OR
command_line matches "*Bearer*" OR
command_line matches "*token=*"
)
| eval alert_type = "ChatAPI_Token_In_CommandLine"
| fields _sourceHost, user, process_image, command_line, alert_type
)
| sort by _messagetime descSumo Logic CSE query detecting T1552.008 Chat Messages across three behavioral patterns: (1) Sysmon EventID 11 file creation/access events targeting Slack or Teams local storage, blob storage, or cache directories by processes other than the legitimate chat clients, (2) access to token/session/cookie files within chat app directories by non-native processes, and (3) Sysmon EventID 1 process creation events where the command line references chat platform APIs (Slack API, MS Graph chats endpoint) with authentication token strings embedded.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT monitoring scripts that use PowerShell with stored service tokens to poll Teams Graph API for compliance reporting or user activity analytics
- Third-party chat archival platforms (e.g. Theta Lake, Smarsh) that may access local Slack or Teams cache files as part of their licensed capture agents
- Browser-based password managers or sync tools that read cookie/session files from application directories including chat clients as part of their normal operation
Other platforms for T1552.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Access Slack Local Storage Database
Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Slack\storage path. Sysmon Event ID 11: file access events for Slack storage files. Process parent chain visible in event.
- Test 2Extract Teams Session Cookies
Expected signal: Sysmon Event ID 1: powershell.exe with Get-ChildItem and Teams Cookies path. Sysmon Event ID 11: file access for Teams Cookies file.
- Test 3Query Slack API for Messages
Expected signal: Linux auditd EXECVE for curl with api.slack.com and xoxb- token. HTTPS connection to slack.com:443. Network connection event with slack.com as destination.
- Test 4Search Jira/Confluence for Credentials
Expected signal: Linux auditd EXECVE for curl with atlassian.net URL and Bearer token. HTTPS connection to atlassian.net:443. Response contains Jira tickets with credential content.
References (7)
- https://attack.mitre.org/techniques/T1552/008/
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://api.slack.com/authentication/token-types
- https://learn.microsoft.com/en-us/graph/api/chatmessage-list
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.008/T1552.008.md
- https://www.csoonline.com/article/3649561/lapsus-group-profile-data-extortion-as-a-business.html
- https://api.slack.com/enterprise/audit-logs
Unlock Pro Content
Get the full detection package for T1552.008 including response playbook, investigation guide, and atomic red team tests.