Sigma rules · CVE-2021-24114

Home/CVE-2021-24114/Sigma rules

Sigma

Sigma rules for CVE-2021-24114

5 rules · scoped to cve · back to CVE-2021-24114

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

5 of 5

direct high

Malicious DLL File Dropped in the Teams or OneDrive Folder

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

status test author frack113 id 1908fcc1-1b92-4272-8214-0fbaf2fa5163 license Sigma · DRL-1.1

view Sigma YAML

title: Malicious DLL File Dropped in the Teams or OneDrive Folder
id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
status: test
description: |
    Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
    Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
references:
    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
author: frack113
date: 2022-08-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - 'iphlpapi.dll'
            - '\AppData\Local\Microsoft'
    condition: selection
falsepositives:
    - Unknown
level: high

direct high

Suspicious Teams Application Related ObjectAcess Event

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

status test author @SerkinValery id 25cde13e-8e20-4c29-b949-4e795b76f16f license Sigma · DRL-1.1

view Sigma YAML

title: Suspicious Teams Application Related ObjectAcess Event
id: 25cde13e-8e20-4c29-b949-4e795b76f16f
status: test
description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
references:
    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022-09-16
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4663
        ObjectName|contains:
            - '\Microsoft\Teams\Cookies'
            - '\Microsoft\Teams\Local Storage\leveldb'
    filter:
        ProcessName|contains: '\Microsoft\Teams\current\Teams.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

direct medium

Microsoft Teams Sensitive File Access By Uncommon Applications

Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.

status test author @SerkinValery id 65744385-8541-44a6-8630-ffc824d7d4cc license Sigma · DRL-1.1

view Sigma YAML

title: Microsoft Teams Sensitive File Access By Uncommon Applications
id: 65744385-8541-44a6-8630-ffc824d7d4cc
status: test
description: |
    Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
references:
    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
    - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2024-07-22
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: windows
    category: file_access
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection:
        FileName|contains:
            - '\Microsoft\Teams\Cookies'
            - '\Microsoft\Teams\Local Storage\leveldb'
    filter_main_legit_location:
        # Note: its best to filter the full path to avoid false negatives
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

direct medium

Renamed Microsoft Teams Execution

Detects the execution of a renamed Microsoft Teams binary.

status test author Nasreddine Bencherchali (Nextron Systems) id 88f46b67-14d4-4f45-ac2c-d66984f22191 license Sigma · DRL-1.1

view Sigma YAML

title: Renamed Microsoft Teams Execution
id: 88f46b67-14d4-4f45-ac2c-d66984f22191
status: test
description: Detects the execution of a renamed Microsoft Teams binary.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-12
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName:
            - 'msteams.exe'
            - 'teams.exe'
    filter_main_legit_names:
        Image|endswith:
            - '\msteams.exe'
            - '\teams.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

direct medium

Potentially Suspicious Command Targeting Teams Sensitive Files

Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.

status test author @SerkinValery id d2eb17db-1d39-41dc-b57f-301f6512fa75 license Sigma · DRL-1.1

view Sigma YAML

title: Potentially Suspicious Command Targeting Teams Sensitive Files
id: d2eb17db-1d39-41dc-b57f-301f6512fa75
status: test
description: |
    Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
    The database might contain authentication tokens and other sensitive information about the logged in accounts.
references:
    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022-09-16
modified: 2023-12-18
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '\Microsoft\Teams\Cookies'
            - '\Microsoft\Teams\Local Storage\leveldb'
    filter_main_legit_locations:
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Showing 1-5 of 5

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin