| ID | Technique | Tactic |
|---|---|---|
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1530 | Data from Cloud Storage | Collection |
Detection: O365 Exfiltration via File Access
Description
The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts.
Search
1`o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg)
2
3| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_")
4
5| where NOT match(SiteUrl,user_flat)
6
7| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl
8
9| eventstats avg(count) as avg stdev(count) as stdev by Workload
10
11| rename SiteUrl as file_path,Workload as app
12
13| where count > 50 AND count > (avg + (3*(stdev)))
14
15| `security_content_ctime(firstTime)`
16
17| `security_content_ctime(lastTime)`
18
19| `o365_exfiltration_via_file_access_filter`
Data Source
No data sources specified for this detection.
Macros Used
| Name | Value |
|---|---|
| o365_management_activity | sourcetype=o365:management:activity |
| o365_exfiltration_via_file_access_filter | search * |
o365_exfiltration_via_file_access_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Actions on Objectives
Exploitation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Known False Positives
It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 20 | src |
References
-
https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data
-
https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | o365 |
o365:management:activity |
| Integration | ✅ Passing | Dataset | o365 |
o365:management:activity |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1