ID | Technique | Tactic |
---|---|---|
T1098 | Account Manipulation | Persistence |
T1098.003 | Additional Cloud Roles | Privilege Escalation |
Detection: O365 High Privilege Role Granted
Description
The following analytic detects when high-privilege roles such as "Exchange Administrator," "SharePoint Administrator," or "Global Administrator" are granted within Office 365. It leverages O365 audit logs to identify events where these roles are assigned to any user or service account. This activity is significant for SOCs as these roles provide extensive permissions, allowing broad access and control over critical resources and data. If confirmed malicious, this could enable attackers to gain significant control over O365 resources, access, modify, or delete critical data, and compromise the overall security and functionality of the O365 environment.
Search
1`o365_management_activity` Operation="Add member to role." Workload=AzureActiveDirectory
2| eval role_id = mvindex('ModifiedProperties{}.NewValue',2)
3| eval role_name = mvindex('ModifiedProperties{}.NewValue',1)
4| where role_id IN ("29232cdf-9323-42fd-ade2-1d097af3e4de", "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "62e90394-69f5-4237-9190-012177145e10")
5| stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name
6| `security_content_ctime(firstTime)`
7| `security_content_ctime(lastTime)`
8| `o365_high_privilege_role_granted_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
O365 Add member to role. | N/A | 'o365:management:activity' |
'o365' |
Macros Used
Name | Value |
---|---|
o365_management_activity | sourcetype=o365:management:activity |
o365_high_privilege_role_granted_filter | search * |
o365_high_privilege_role_granted_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Known False Positives
Privilege roles may be assigned for legitimate purposes, filter as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
$user$ granted high privilege roles to $ObjectId$ | 48 | 80 | 60 |
References
-
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
-
https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | o365 |
o365:management:activity |
Integration | ✅ Passing | Dataset | o365 |
o365:management:activity |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3