Monitoring teams exploit

[binary op]

Hi All, 

new to wazuh and looking for some assistance for the best way to monitor for this potential attack. 

TLDR: 

create a monitoring rule to discover processes accessing the following directories excluding teams app and monitor if Teamsniper.py is run on a system. 

• [Windows] %AppData%\Microsoft\Teams\Cookies
• [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb

Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs (bleepingcomputer.com)

Tool released below: 

UberGuidoZ/Teamsniper: Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.). (github.com)

Thanks 

[Francis Timilehin Jeremiah]

Hello opbinary08,

1. You can set up Auditing who-data in Windows to monitor file changes and process/user that made modifications in a monitored directory. You can configure something like the block below in the /var/ossec/etc/ossec.conf Agent configuration file:

<syscheck>

  <directories check_all="yes" whodata="yes">PATH_TO\Microsoft\Teams\Cookies</directories>

  <directories check_all="yes" whodata="yes">PATH_TO\Microsoft\Teams\Local Storage\leveldb</directories>

</syscheck>

2. To monitor the tool, I will suggest to

a. Install Sysmon in a test environment, configure Wazuh to collect Sysmon logs then enable archives on the Wazuh dashboard/server. The point of enabling archives is for the Wazuh server to receive all logs from the endpoints(even logs that do not trigger alerts).

Windows Endpoint
Setup Sysmon with this config file sysmon64 -i sysmonfig.xml

1. Install the Wazuh agent

2. Enable Sysmon log collection, add the following in Agent /var/ossec/etc/ossec.conf:

       <localfile>

         <location>Microsoft-Windows-Sysmon/Operational</location>

         <log_format>eventchannel</log_format>

       </localfile>

Wazuh Server

Steps to configure archives monitoring in Wazuh dashboard/server:

1. Set <logall_json>yes</logall_json> in /var/ossec/etc/ossec.conf

2. Set archives: enabled to true in /etc/filebeat/filebeat.yml

        archives:

            enabled: true

        3. Restart wazuh manager and filebeat: # systemctl restart wazuh-manager filebeat

        4. Go to Wazuh dashboard -> index management -> indices and verify wazuh-archives-x.x-xxxx.xx.xx is present

        5.Go to Wazuh dashboard -> stack management -> index pattern and select Create index pattern. Use wazuh-archives-* as index pattern name

        6. Go to Wazuh dashboard -> discover and verify archives events are being reported

       

b. Execute the Teamsniper.py script and search for the associated Sysmon logs in the Discover tab on the Wazuh dashboard

c. Use the associated logs to write detection rules, https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/, https://documentation.wazuh.com/current/user-manual/ruleset/custom.html