Stealing Tokens from Office products

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Stealing Tokens from Office products

L4 Transporter

Hello dear community, 


is there a capability in cortex xdr pro, which can detect or stop the dumping and stealing from tokens?


How would you go on this? XQL BIOC query with detection on dump creation? Or BIOC XQL for strings64.exe call?







L3 Networker

Hi @RFeyertag I would probably create BIOC rules with multiple logic:


  1. Low Severity: Create a BIOC rule for srtings64.exe containing *.dmp in its command line. (Even though the article mentions that you could do an offline strings dump etc, Why? Obviously if done on the box it will create more telemetry and more telemetry creates more detection opportunities)
  2. Informational Severity: Create a BIOC rule where I would monitor for a process command line containing a *.dmp in its CLI. (Produces quite a bit noise)
  3. Medium Severity: Create a BIOC rule where an unsigned image created a *.dmp file (Please consider the noise in the environment before creation.)
  4. Medium Severity: Create a BIOC rule where tool name such as procdump*.exe or dumpit.exe i.e. common process dump utilities are used.
  5. Medium Severity: Create a BIOC rule where an image signer includes Microsoft* as a key word but the image name is not a known Microsoft Utility.
  6. Medium Severity: rundll32.exe executing comsvc.dll

Before doing above baseline first:

config case_sensitive = false 
| dataset = xdr_data 
| filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_CREATE_NEW,ENUM.FILE_WRITE)
| filter actor_process_image_name != null
| filter actor_process_image_name not in ("werfault.exe","System") and action_file_name = "*.dmp"
| fields _time as Time_Stamp, agent_hostname as Host, agent_ip_addresses as IP_Addr, action_file_name as Dump_Filename, actor_process_image_name as Process




Kind Regards

L5 Sessionator

Hi @RFeyertag there's a BIOC available in github that you can take a look at to see if it meets your needs.

Hey @bbarmanroy


thank you very much! It worked like very good! Here is my final query:


dataset = xdr_data |
filter event_type = FILE and (
actor_process_image_name not contains "Teams" and
actor_process_image_name not contains "teams" and actor_process_image_path not contains "C:\Windows\System32\svchost.exe"
and (
action_file_path contains "\Microsoft\Teams\Cookies" or
action_file_path contains "Microsoft\Teams\Local Storage\leveldb" or
action_file_path contains "/Library/Application Support/Microsoft/Teams/Cookies" or
action_file_path contains "/Library/Application Support/Microsoft/Teams/Local Storage/leveldb" or
action_file_path contains "/.config/Microsoft/Microsoft Teams/Cookies" or
action_file_path contains "/.config/Microsoft/Microsoft Teams/Local Storage/leveldb"


Do you think excluding svchost.exe is a good idea?





Hi @RFeyertag the query looks good.


I'd probably want to clean up a bit if that makes for a quicker read as BIOC rules are case-insensitive by default (takes care of the process name) as well as put the paths in an array:


dataset = xdr_data 
| filter event_type = ENUM.FILE 
| filter action_file_path in ("%AppData%\Microsoft\Teams\Cookies", "%AppData%\Microsoft\Teams\Local Storage\leveldb", "~/Library/Application Support/Microsoft/Teams/Cookies", "~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb","~/.config/Microsoft/Microsoft Teams/Cookies", "~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb") and action_process_image_name !~= "teams"


I am not full up-to-date with the threat, but I understand that this requires local privileges on the endpoint (so an attacker would already have access to Teams at that point post-authentication?). As such, putting in svchost in the query is probably not necessary. Do discuss this with your wider information security teams (including threat intel) to discover variants and use that to modify the BIOC as needed.


  • 4 replies
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!