O365 Privileged Graph API Permission Assigned
Description
This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-01-30
- Author: Mauricio Velazco, Splunk
- ID: 868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application."
| eval newvalue = mvindex('ModifiedProperties{}.NewValue',0)
| spath input=newvalue
| search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"
| eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId'
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_privileged_graph_api_permission_assigned_filter`
Macros
The SPL above uses the following Macros:
o365_privileged_graph_api_permission_assigned_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Workload
- Operation
- ModifiedProperties{}.NewValue
- RequiredAppPermissions{}.EntitlementId
- user
- object
- user_agent
- Operation
How To Implement
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Known False Positives
Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
54.0 | 90 | 60 | User $user$ assigned privileged Graph API permissions to $object$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://cloudbrothers.info/en/azure-attack-paths/
- https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
- https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1