‘The Suspicious Command Line Contains Azure TokenCache.dat as Argument’ community rule by the SOC Prime team is available at Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/MzSiYeDJ9PvW/ The TokenCache.dat file contains the AccessKey for the current session and is stored as a plaintext JSON file. Any manipulations with this file via the command line may indicate an attempt to steal the token so that in future it can be used for malicious purposes.
More information about these metrics you can find in our blog: https://socprime.com/blog/siem-impact-pain-actionability-and-severity/
PLATFORMS: Sigma, ELK stack, Elasticsearch, elasticsearch-rule, Kibana, xpack-watcher, ArcSight ESM, ArcSight-keyword, SumoLogic, Qualys, IBM Qradar, Splunk, ala, ala-rule, RSA Netwitness, powershell, CarbonBlack.
LOG SOURCES: sysmon, security.