O365 Privileged Graph API Permission Assigned

Try in Splunk Security Cloud

Description

The following analytic detects the assignment of critical Graph API permissions in Azure AD using the O365 Unified Audit Log. It focuses on permissions such as Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. The detection method leverages Azure Active Directory workload events, specifically 'Update application' operations. This activity is significant as these permissions provide extensive control over Azure AD settings, posing a high risk if misused. If confirmed malicious, this could allow unauthorized modifications, leading to potential data breaches or privilege escalation. Immediate investigation is crucial.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2024-05-14
• Author: Mauricio Velazco, Splunk
• ID: 868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1003.002	Security Account Manager	Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." 
| eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) 
| spath input=newvalue  
| search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"  
| eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' 
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_privileged_graph_api_permission_assigned_filter`

Macros

The SPL above uses the following Macros:

• o365_management_activity
• security_content_ctime

o365_privileged_graph_api_permission_assigned_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Workload
• Operation
• ModifiedProperties{}.NewValue
• RequiredAppPermissions{}.EntitlementId
• user
• object
• user_agent
• Operation

How To Implement

You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.

Known False Positives

Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.

Associated Analytic Story

• Office 365 Persistence Mechanisms
• NOBELIUM Group

RBA

Risk Score	Impact	Confidence	Message
54.0	90	60	User $user$ assigned privileged Graph API permissions to $object$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://cloudbrothers.info/en/azure-attack-paths/
• https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json
• https://learn.microsoft.com/en-us/graph/permissions-reference
• https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
• https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2