Merge pull request #2999 from nterl0k/nterl0k-o365-azure-workload-1

Nterl0k [T1098]  - O365 Azure Workload things

detections/cloud/o365_application_available_to_other_tenants.yml

@@ -0,0 +1,65 @@
+name: O365 Application Available To Other Tenants
+id: 942548a3-0273-47a4-8dbd-e5202437395c
+version: 1
+date: '2024-04-11'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies the configuration of Azure Active Directory Applications in a manner that allows authentication from external tenants or personal accounts. This configuration can lead to inappropriate or malicious access of any data or capabilities the application is allowed to access. This detection leverages the O365 Universal Audit Log data source.
+data_source: 
+- Office 365 Universal Audit Log
+search: >
+  `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add application.","Update application.") ModifiedProperties{}.Name=AvailableToOtherTenants
+  | eval result = case(match(mvindex('ModifiedProperties{}.NewValue',mvfind('ModifiedProperties{}.Name',"AvailableToOtherTenants")),"false"),"removed",true(),"added"), object_name=mvindex('Target{}.ID', 3), signature=Operation, object_attrs = "AvailableToOtherTenants", user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0))
+  | search result = "added"
+  | stats values(ActorIpAddress) as src, count, min(_time) as firstTime, max(_time) as lastTime by signature, user, object, object_name, object_attrs, result
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_application_available_to_other_tenants_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. 
+known_false_positives: Business approved changes by known administrators.
+references:
+- https://attack.mitre.org/techniques/T1098/
+- https://msrc.microsoft.com/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad/
+- https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration
+tags:
+  analytic_story: 
+  - Azure Active Directory Persistence
+  - Azure Active Directory Account Takeover
+  - Data Exfiltration
+  asset_type: O365 Tenant
+  confidence: 100
+  impact: 50
+  message: An Azure Application [$object_name$] was configured by [$user$] as accessible to external tenants.
+  mitre_attack_id: 
+  - T1098.003
+  - T1098
+  observable: 
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: object_name
+    type: Other
+    role:
+    - Attacker
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields: 
+  - _time
+  - Operation
+  - ModifiedProperties{}.NewValue
+  - ModifiedProperties{}.Name
+  - UserId
+  - Workload
+  - Target{}.ID
+  risk_score: 50
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
+    sourcetype: o365:management:activity
+    source: o365

detections/cloud/o365_cross_tenant_access_change.yml

@@ -0,0 +1,62 @@
+name: O365 Cross-Tenant Access Change
+id: 7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f
+version: 1
+date: '2024-04-11'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies when cross-tenant access/synchronization policies are changed in an Azure tenant. Adversaries have been observed altering victim cross-tenant policies as a method of lateral movement or maintaining persistent access to compromised environments. These policies should be considered sensitive and monitored for changes and/or loose configuration.
+data_source: 
+- Office 365 Universal Audit Log
+search: > 
+  `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add a partner to cross-tenant access setting.","Delete partner specific cross-tenant access setting.")
+  | eval user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0))
+  | stats values(Workload) as category, values(ClientIP) as src, values(ModifiedProperties{}.Name) as object_name, values(ModifiedProperties{}.NewValue) as object_attrs, count, min(_time) as firstTime, max(_time) as lastTime by Id,user,Operation
+  | rename Operation as signature, Id as signature_id
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_cross_tenant_access_change_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. 
+known_false_positives: Business approved changes by known administrators.
+references:
+- https://attack.mitre.org/techniques/T1484/002/
+- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html
+- https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/
+- https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/
+tags:
+  analytic_story: 
+  - Azure Active Directory Persistence
+  asset_type: O365 Tenant
+  confidence: 75
+  impact: 75
+  message: The user [$user$] changed the Azure cross-tenant access settings for $object_name$ $object_attrs$ [$signature$]
+  mitre_attack_id: 
+  - T1484.002
+  observable: 
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: object_attrs
+    type: Other
+    role:
+    - Attacker
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields: 
+  - _time
+  - Operation
+  - ModifiedProperties{}.NewValue
+  - ModifiedProperties{}.Name
+  - UserId
+  - Workload
+  risk_score: 75
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
+    sourcetype: o365:management:activity
+    source: o365

detections/cloud/o365_external_guest_user_invited.yml

@@ -0,0 +1,64 @@
+name: O365 External Guest User Invited
+id: 8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa
+version: 1
+date: '2024-04-11'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`. This detection leverages the Universal Audit Log (UAL)/o365:management:activity sourcetype as a detection data source.
+data_source: 
+- Office 365 Universal Audit Log
+search: > 
+  `o365_management_activity` Workload=AzureActiveDirectory AND Operation="Add user*" AND ModifiedProperties{}.NewValue="[*Guest*]" AND ModifiedProperties{}.NewValue="[*Invitation*]"
+  | eval user = (mvindex('ModifiedProperties{}.NewValue',5)), src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0))
+  | rex field=user "(?<user>[\\w\\.-]+@[\\w-]+\\.[\\w-]{2,4})"
+  | stats values(user) as user, min(_time) as firstTime, max(_time) as lastTime, count by Operation,Id,src_user
+  | rename Operation as signature, Id as signature_id
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_external_guest_user_invited_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. 
+known_false_positives: Administrator may legitimately invite external guest users. Filter as needed.
+references:
+- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf
+- https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999
+- https://attack.mitre.org/techniques/T1136/003/
+- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal
+tags:
+  analytic_story: 
+  - Azure Active Directory Persistence
+  asset_type: O365 Tenant
+  confidence: 50
+  impact: 50
+  message: Azure Guest User $user$ invited by $src_user$
+  mitre_attack_id: 
+  - T1136.003
+  observable: 
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: src_user
+    type: User
+    role:
+    - Victim
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields: 
+  - _time
+  - Operation
+  - ModifiedProperties{}.NewValue
+  - ModifiedProperties{}.Name
+  - UserId
+  - Id
+  - Workload
+  risk_score: 25
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
+    sourcetype: o365:management:activity
+    source: o365

detections/cloud/o365_external_identity_policy_changed.yml

@@ -0,0 +1,64 @@
+name: O365 External Identity Policy Changed
+id: 29af1725-7a72-4d2d-8a18-e697e79a62d3
+version: 1
+date: '2024-04-11'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies when changes are made to the external guest policies within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. This detection also attempts to highlight what may have changed. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`.
+data_source: 
+- Office 365 Universal Audit Log
+search: >
+  `o365_management_activity` Workload=AzureActiveDirectory Operation="Update policy." Target{}.ID="B2BManagementPolicy"
+  | eval object_attrs = mvindex('ModifiedProperties{}.NewValue',0), object_attrs_old = mvindex('ModifiedProperties{}.OldValue',0), object_name = mvindex('Target{}.ID',3), signature=Operation, user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0))
+  | spath input=object_attrs_old output=B2BOld path={}
+  | spath input=B2BOld
+  | rename B2BManagementPolicy.* as B2BManagementPolicyOld.*
+  | spath input=object_attrs output=B2BNew path={}
+  | spath input=B2BNew
+  | eval object_attrs = 'B2BManagementPolicy.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains{}' , object_attrs_old = 'B2BManagementPolicyOld.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains{}'
+  | eval diff_add=mvmap(object_attrs,if(isnull(mvfind(object_attrs_old,object_attrs)),object_attrs,null))
+  | eval diff_remove=mvmap(object_attrs_old,if(isnull(mvfind(object_attrs,object_attrs_old)),object_attrs_old,null))
+  | eval result = case(isnotnull(diff_add),"Added ".mvjoin(diff_add,","),isnotnull(diff_remove),"Removed ".mvjoin(diff_remove,",")), action = case(isnotnull(diff_add),"created",isnotnull(diff_remove),"deleted")
+  | stats values(object_attrs) as object_attrs, values(action) as action, values(result) as result, values(B2BManagementPolicy*) as B2BManagementPolicy*, count, min(_time) as firstTime, max(_time) as lastTime by user,signature,object_name
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_external_identity_policy_changed_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. 
+known_false_positives: Business approved changes by known administrators.
+references:
+- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360
+- https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview
+tags:
+  analytic_story: 
+  - Azure Active Directory Persistence
+  asset_type: O365 Tenant
+  confidence: 100
+  impact: 75
+  message: User $user$ changed the external identity [$object_name$] policy - $result$
+  mitre_attack_id: 
+  - T1136.003
+  observable: 
+  - name: user
+    type: User
+    role:
+    - Victim
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields: 
+  - _time
+  - Operation
+  - ModifiedProperties{}.NewValue
+  - ModifiedProperties{}.Name
+  - UserId
+  - Workload
+  risk_score: 75
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
+    sourcetype: o365:management:activity
+    source: o365

detections/cloud/o365_privileged_role_assigned.yml

@@ -0,0 +1,64 @@
+name: O365 Privileged Role Assigned
+id: db435700-4ddc-4c23-892e-49e7525d7d39
+version: 1
+date: '2024-04-11'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. This detection leverages the O365 Universal Audit Log data source.
+data_source: 
+- Office 365 Universal Audit Log
+search: >
+  `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.")
+  | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2)
+  | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature
+  | lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole
+  | search isprvilegedadrole="TRUE" category="User"
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_privileged_role_assigned_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. 
+known_false_positives: Administrators will legitimately assign the privileged roles users as part of administrative tasks. Microsoft Privileged Identity Management (PIM) may cause false positives / less accurate alerting.
+references:
+- https://attack.mitre.org/techniques/T1098/003/
+- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
+- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide
+tags:
+  analytic_story: 
+  - Azure Active Directory Persistence
+  asset_type: O365 Tenant
+  confidence: 100
+  impact: 75
+  message: A privileged Azure AD role [$object_name$] was assigned to user $user$ by $src_user$
+  mitre_attack_id: 
+  - T1098
+  - T1098.003
+  observable: 
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: src_user
+    type: User
+    role:
+    - Victim
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields: 
+  - _time
+  - Operation
+  - ModifiedProperties{}.NewValue
+  - ModifiedProperties{}.Name
+  - UserId
+  - ObjectId
+  - Workload
+  risk_score: 75
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
+    sourcetype: o365:management:activity
+    source: o365

detections/cloud/o365_privileged_role_assigned_to_service_principal.yml

@@ -0,0 +1,65 @@
+name: O365 Privileged Role Assigned To Service Principal
+id: 80f3fc1b-705f-4080-bf08-f61bf013b900
+version: 1
+date: '2024-04-11'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source.
+data_source: 
+- Office 365 Universal Audit Log
+search: >
+  `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.")
+  | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2)
+  | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature
+  | lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole
+  | search isprvilegedadrole="TRUE" category!="User"
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_privileged_role_assigned_to_service_principal_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. 
+known_false_positives: Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed.
+references:
+- https://attack.mitre.org/techniques/T1098/003/
+- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
+- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide
+- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
+tags:
+  analytic_story: 
+  - Azure Active Directory Privilege Escalation
+  asset_type: O365 Tenant
+  confidence: 100
+  impact: 75
+  message: A privileged Azure AD role [$object_name$] was assigned to the Service Principal $user$ initiated by $src_user$
+  mitre_attack_id: 
+  - T1098
+  - T1098.003
+  observable: 
+  - name: user
+    type: User
+    role:
+    - Victim
+  - name: src_user
+    type: User
+    role:
+    - Victim
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields: 
+  - _time
+  - Operation
+  - ModifiedProperties{}.NewValue
+  - ModifiedProperties{}.Name
+  - UserId
+  - ObjectId
+  - Workload
+  risk_score: 75
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
+    sourcetype: o365:management:activity
+    source: o365