Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nterl0k [T1098] - O365 Azure Workload things #2999

Merged
merged 31 commits into from
Aug 7, 2024
Merged
Show file tree
Hide file tree
Changes from 26 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
7d0ab42
Add files via upload
nterl0k Apr 13, 2024
12d024d
Add files via upload
nterl0k Apr 13, 2024
2bcae0c
Update o365_application_available_to_other_tenants.yml
nterl0k Apr 20, 2024
8f4b5a9
Update o365_cross_tenant_access_change.yml
nterl0k Apr 20, 2024
7fce2ad
Update o365_external_guest_user_invited.yml
nterl0k Apr 20, 2024
c8f8fb2
Update o365_external_identity_policy_changed.yml
nterl0k Apr 20, 2024
fdeb58c
Update o365_privileged_role_assigned.yml
nterl0k Apr 20, 2024
0dae8e9
Update o365_privileged_role_assigned_to_service_principal.yml
nterl0k Apr 20, 2024
e5db5a1
Update o365_application_available_to_other_tenants.yml
nterl0k Apr 24, 2024
1b28384
Update o365_cross_tenant_access_change.yml
nterl0k Apr 24, 2024
28ed9a8
Update o365_external_identity_policy_changed.yml
nterl0k Apr 24, 2024
673d5a0
Update o365_external_guest_user_invited.yml
nterl0k Apr 24, 2024
3912130
Update o365_privileged_role_assigned.yml
nterl0k Apr 24, 2024
54ad055
Update o365_privileged_role_assigned_to_service_principal.yml
nterl0k Apr 24, 2024
86103ec
Update o365_application_available_to_other_tenants.yml
nterl0k May 4, 2024
fa0e309
Update o365_cross_tenant_access_change.yml
nterl0k May 4, 2024
0312cc1
Update o365_external_guest_user_invited.yml
nterl0k May 4, 2024
2037a3d
Update o365_external_identity_policy_changed.yml
nterl0k May 4, 2024
b1a7449
Update o365_privileged_role_assigned.yml
nterl0k May 4, 2024
f0b2e96
Update o365_privileged_role_assigned_to_service_principal.yml
nterl0k May 4, 2024
cc7efa1
Merge branch 'develop' into nterl0k-o365-azure-workload-1
patel-bhavin Jul 23, 2024
06b7396
Merge branch 'develop' into nterl0k-o365-azure-workload-1
ljstella Jul 24, 2024
6374f40
Formatting search blocks and fixed tags.asset_type
ljstella Jul 24, 2024
a244a95
Removing quotes around search as they're no longer needed
ljstella Jul 25, 2024
76ccb51
Merge branch 'develop' into nterl0k-o365-azure-workload-1
ljstella Jul 25, 2024
048f73d
Datestamped lookup
ljstella Jul 25, 2024
ca30ffc
Updating lookup name
ljstella Aug 7, 2024
f01f695
Updating datestamp
ljstella Aug 7, 2024
0091d78
Account for new name
ljstella Aug 7, 2024
8638136
Merge branch 'develop' into nterl0k-o365-azure-workload-1
ljstella Aug 7, 2024
5f30d29
Remove old version
ljstella Aug 7, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: O365 Application Available To Other Tenants
id: 942548a3-0273-47a4-8dbd-e5202437395c
version: 1
date: '2024-04-11'
author: Steven Dick
status: production
type: TTP
description: The following analytic identifies the configuration of Azure Active Directory Applications in a manner that allows authentication from external tenants or personal accounts. This configuration can lead to inappropriate or malicious access of any data or capabilities the application is allowed to access. This detection leverages the O365 Universal Audit Log data source.
data_source:
- Office 365 Universal Audit Log
search: >
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add application.","Update application.") ModifiedProperties{}.Name=AvailableToOtherTenants
| eval result = case(match(mvindex('ModifiedProperties{}.NewValue',mvfind('ModifiedProperties{}.Name',"AvailableToOtherTenants")),"false"),"removed",true(),"added"), object_name=mvindex('Target{}.ID', 3), signature=Operation, object_attrs = "AvailableToOtherTenants", user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0))
| search result = "added"
| stats values(ActorIpAddress) as src, count, min(_time) as firstTime, max(_time) as lastTime by signature, user, object, object_name, object_attrs, result
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_application_available_to_other_tenants_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Business approved changes by known administrators.
references:
- https://attack.mitre.org/techniques/T1098/
- https://msrc.microsoft.com/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad/
- https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration
tags:
analytic_story:
- Azure Active Directory Persistence
- Azure Active Directory Account Takeover
- Data Exfiltration
asset_type: O365 Tenant
confidence: 100
impact: 50
message: An Azure Application [$object_name$] was configured by [$user$] as accessible to external tenants.
mitre_attack_id:
- T1098.003
- T1098
observable:
- name: user
type: User
role:
- Victim
- name: object_name
type: Other
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Operation
- ModifiedProperties{}.NewValue
- ModifiedProperties{}.Name
- UserId
- Workload
- Target{}.ID
risk_score: 50
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
sourcetype: o365:management:activity
source: o365
62 changes: 62 additions & 0 deletions detections/cloud/o365_cross_tenant_access_change.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
name: O365 Cross-Tenant Access Change
id: 7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f
version: 1
date: '2024-04-11'
author: Steven Dick
status: production
type: TTP
description: The following analytic identifies when cross-tenant access/synchronization policies are changed in an Azure tenant. Adversaries have been observed altering victim cross-tenant policies as a method of lateral movement or maintaining persistent access to compromised environments. These policies should be considered sensitive and monitored for changes and/or loose configuration.
data_source:
- Office 365 Universal Audit Log
search: >
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add a partner to cross-tenant access setting.","Delete partner specific cross-tenant access setting.")
| eval user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0))
| stats values(Workload) as category, values(ClientIP) as src, values(ModifiedProperties{}.Name) as object_name, values(ModifiedProperties{}.NewValue) as object_attrs, count, min(_time) as firstTime, max(_time) as lastTime by Id,user,Operation
| rename Operation as signature, Id as signature_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_cross_tenant_access_change_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Business approved changes by known administrators.
references:
- https://attack.mitre.org/techniques/T1484/002/
- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html
- https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/
- https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/
tags:
analytic_story:
- Azure Active Directory Persistence
asset_type: O365 Tenant
confidence: 75
impact: 75
message: The user [$user$] changed the Azure cross-tenant access settings for $object_name$ $object_attrs$ [$signature$]
mitre_attack_id:
- T1484.002
observable:
- name: user
type: User
role:
- Victim
- name: object_attrs
type: Other
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Operation
- ModifiedProperties{}.NewValue
- ModifiedProperties{}.Name
- UserId
- Workload
risk_score: 75
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
sourcetype: o365:management:activity
source: o365
64 changes: 64 additions & 0 deletions detections/cloud/o365_external_guest_user_invited.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: O365 External Guest User Invited
id: 8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa
version: 1
date: '2024-04-11'
author: Steven Dick
status: production
type: TTP
description: The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`. This detection leverages the Universal Audit Log (UAL)/o365:management:activity sourcetype as a detection data source.
data_source:
- Office 365 Universal Audit Log
search: >
`o365_management_activity` Workload=AzureActiveDirectory AND Operation="Add user*" AND ModifiedProperties{}.NewValue="[*Guest*]" AND ModifiedProperties{}.NewValue="[*Invitation*]"
| eval user = (mvindex('ModifiedProperties{}.NewValue',5)), src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0))
| rex field=user "(?<user>[\\w\\.-]+@[\\w-]+\\.[\\w-]{2,4})"
| stats values(user) as user, min(_time) as firstTime, max(_time) as lastTime, count by Operation,Id,src_user
| rename Operation as signature, Id as signature_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_external_guest_user_invited_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Administrator may legitimately invite external guest users. Filter as needed.
references:
- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf
- https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999
- https://attack.mitre.org/techniques/T1136/003/
- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal
tags:
analytic_story:
- Azure Active Directory Persistence
asset_type: O365 Tenant
confidence: 50
impact: 50
message: Azure Guest User $user$ invited by $src_user$
mitre_attack_id:
- T1136.003
observable:
- name: user
type: User
role:
- Victim
- name: src_user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Operation
- ModifiedProperties{}.NewValue
- ModifiedProperties{}.Name
- UserId
- Id
- Workload
risk_score: 25
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
sourcetype: o365:management:activity
source: o365
64 changes: 64 additions & 0 deletions detections/cloud/o365_external_identity_policy_changed.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: O365 External Identity Policy Changed
id: 29af1725-7a72-4d2d-8a18-e697e79a62d3
version: 1
date: '2024-04-11'
author: Steven Dick
status: production
type: TTP
description: The following analytic identifies when changes are made to the external guest policies within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. This detection also attempts to highlight what may have changed. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`.
data_source:
- Office 365 Universal Audit Log
search: >
`o365_management_activity` Workload=AzureActiveDirectory Operation="Update policy." Target{}.ID="B2BManagementPolicy"
| eval object_attrs = mvindex('ModifiedProperties{}.NewValue',0), object_attrs_old = mvindex('ModifiedProperties{}.OldValue',0), object_name = mvindex('Target{}.ID',3), signature=Operation, user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0))
| spath input=object_attrs_old output=B2BOld path={}
| spath input=B2BOld
| rename B2BManagementPolicy.* as B2BManagementPolicyOld.*
| spath input=object_attrs output=B2BNew path={}
| spath input=B2BNew
| eval object_attrs = 'B2BManagementPolicy.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains{}' , object_attrs_old = 'B2BManagementPolicyOld.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains{}'
| eval diff_add=mvmap(object_attrs,if(isnull(mvfind(object_attrs_old,object_attrs)),object_attrs,null))
| eval diff_remove=mvmap(object_attrs_old,if(isnull(mvfind(object_attrs,object_attrs_old)),object_attrs_old,null))
| eval result = case(isnotnull(diff_add),"Added ".mvjoin(diff_add,","),isnotnull(diff_remove),"Removed ".mvjoin(diff_remove,",")), action = case(isnotnull(diff_add),"created",isnotnull(diff_remove),"deleted")
| stats values(object_attrs) as object_attrs, values(action) as action, values(result) as result, values(B2BManagementPolicy*) as B2BManagementPolicy*, count, min(_time) as firstTime, max(_time) as lastTime by user,signature,object_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_external_identity_policy_changed_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Business approved changes by known administrators.
references:
- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360
- https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview
tags:
analytic_story:
- Azure Active Directory Persistence
asset_type: O365 Tenant
confidence: 100
impact: 75
message: User $user$ changed the external identity [$object_name$] policy - $result$
mitre_attack_id:
- T1136.003
observable:
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Operation
- ModifiedProperties{}.NewValue
- ModifiedProperties{}.Name
- UserId
- Workload
risk_score: 75
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
sourcetype: o365:management:activity
source: o365
64 changes: 64 additions & 0 deletions detections/cloud/o365_privileged_role_assigned.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: O365 Privileged Role Assigned
id: db435700-4ddc-4c23-892e-49e7525d7d39
version: 1
date: '2024-04-11'
author: Steven Dick
status: production
type: TTP
description: The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. This detection leverages the O365 Universal Audit Log data source.
data_source:
- Office 365 Universal Audit Log
search: >
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.")
| eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2)
| stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature
| lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole
| search isprvilegedadrole="TRUE" category="User"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_privileged_role_assigned_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Administrators will legitimately assign the privileged roles users as part of administrative tasks. Microsoft Privileged Identity Management (PIM) may cause false positives / less accurate alerting.
references:
- https://attack.mitre.org/techniques/T1098/003/
- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide
tags:
analytic_story:
- Azure Active Directory Persistence
asset_type: O365 Tenant
confidence: 100
impact: 75
message: A privileged Azure AD role [$object_name$] was assigned to user $user$ by $src_user$
mitre_attack_id:
- T1098
- T1098.003
observable:
- name: user
type: User
role:
- Victim
- name: src_user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Operation
- ModifiedProperties{}.NewValue
- ModifiedProperties{}.Name
- UserId
- ObjectId
- Workload
risk_score: 75
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
sourcetype: o365:management:activity
source: o365
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: O365 Privileged Role Assigned To Service Principal
id: 80f3fc1b-705f-4080-bf08-f61bf013b900
version: 1
date: '2024-04-11'
author: Steven Dick
status: production
type: TTP
description: The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source.
data_source:
- Office 365 Universal Audit Log
search: >
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.")
| eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2)
| stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature
| lookup privileged_azure_ad_roles azuretemplateid as object_id OUTPUT isprvilegedadrole
| search isprvilegedadrole="TRUE" category!="User"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_privileged_role_assigned_to_service_principal_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Administrators may legitimately assign the privileged roles to Service Principals as part of administrative tasks. Filter as needed.
references:
- https://attack.mitre.org/techniques/T1098/003/
- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide
- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
tags:
analytic_story:
- Azure Active Directory Privilege Escalation
asset_type: O365 Tenant
confidence: 100
impact: 75
message: A privileged Azure AD role [$object_name$] was assigned to the Service Principal $user$ initiated by $src_user$
mitre_attack_id:
- T1098
- T1098.003
observable:
- name: user
type: User
role:
- Victim
- name: src_user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Operation
- ModifiedProperties{}.NewValue
- ModifiedProperties{}.Name
- UserId
- ObjectId
- Workload
risk_score: 75
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log
sourcetype: o365:management:activity
source: o365
Loading
Loading