O365 Privileged Graph API Permission Assigned

Try in Splunk Security Cloud

Description

This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically 'Update application' operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2024-01-30
• Author: Mauricio Velazco, Splunk
• ID: 868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1003.002	Security Account Manager	Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application." 
| eval newvalue = mvindex('ModifiedProperties{}.NewValue',0) 
| spath input=newvalue  
| search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"  
| eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' 
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_privileged_graph_api_permission_assigned_filter`

Macros

The SPL above uses the following Macros:

• o365_management_activity
• security_content_ctime

o365_privileged_graph_api_permission_assigned_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Workload
• Operation
• ModifiedProperties{}.NewValue
• RequiredAppPermissions{}.EntitlementId
• user
• object
• user_agent
• Operation

How To Implement

You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.

Known False Positives

Privileged Graph API permissions may be assigned for legitimate purposes. Filter as needed.

Associated Analytic Story

• Office 365 Persistence Mechanisms
• NOBELIUM Group

RBA

Risk Score	Impact	Confidence	Message
54.0	90	60	User $user$ assigned privileged Graph API permissions to $object$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://cloudbrothers.info/en/azure-attack-paths/
• https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json
• https://learn.microsoft.com/en-us/graph/permissions-reference
• https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
• https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1