Try in Splunk Security Cloud

Description

Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication, Change
  • Last Updated: 2023-10-17
  • Author: Mauricio Velazco, Patrick Bareiss, Splunk
  • ID: d230a106-0475-4605-a8d8-abaf4c31ced7

Narrative

Office 365 (O365) is Microsoft’s cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365’s centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The “Office 365 Persistence Mechanisms” analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.

Detections

Name Technique Type
O365 Add App Role Assignment Grant User Cloud Account, Create Account TTP
O365 Added Service Principal Cloud Account, Create Account TTP
O365 Admin Consent Bypassed by Service Principal Additional Cloud Roles TTP
O365 Advanced Audit Disabled Impair Defenses, Disable or Modify Cloud Logs TTP
O365 Application Registration Owner Added Account Manipulation TTP
O365 ApplicationImpersonation Role Assigned Account Manipulation, Additional Email Delegate Permissions TTP
O365 Bypass MFA via Trusted IP Disable or Modify Cloud Firewall, Impair Defenses TTP
O365 Disable MFA Modify Authentication Process TTP
O365 FullAccessAsApp Permission Assigned Additional Email Delegate Permissions, Additional Cloud Roles TTP
O365 High Privilege Role Granted Account Manipulation, Additional Cloud Roles TTP
O365 Multiple Service Principals Created by SP Cloud Account Anomaly
O365 Multiple Service Principals Created by User Cloud Account Anomaly
O365 New Federated Domain Added Cloud Account, Create Account TTP
O365 New MFA Method Registered Account Manipulation, Device Registration TTP
O365 Privileged Graph API Permission Assigned Security Account Manager TTP
O365 Service Principal New Client Credentials Account Manipulation, Additional Cloud Credentials TTP
O365 Tenant Wide Admin Consent Granted Account Manipulation, Additional Cloud Roles TTP

Reference

source | version: 1