Azure AD FullAccessAsApp Permission Assigned
Description
The following analytic identifies when the 'full_access_as_app' permission, marked by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40', is assigned to an application within Office 365 Exchange Online, identified by ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. This permission grants broad control over Office 365 operations, including full access to all mailboxes and the capability to send emails as any user. The query utilizes the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This monitoring is crucial for early detection of potential unauthorized access or data exfiltration, as the 'full_access_as_app' permission could lead to significant security incidents if exploited.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-01-29
- Author: Mauricio Velazco, Splunk
- ID: ae286126-f2ad-421c-b240-4ea83bd1c43a
Annotations
ATT&CK
Kill Chain Phase
- Installation
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
`azure_monitor_aad` category=AuditLogs operationName="Update application"
| eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0)
| spath input=newvalue
| search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40"
| eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId'
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_fullaccessasapp_permission_assigned_filter`
Macros
The SPL above uses the following Macros:
azure_ad_fullaccessasapp_permission_assigned_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
How To Implement
You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.
Known False Positives
The full_access_as_app API permission may be assigned to legitimate applications. Filter as needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
48.0 | 80 | 60 | User $user$ assigned the full_access_as_app permission to the app registration $object$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
- https://attack.mitre.org/techniques/T1098/002/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1