O365 Suspicious Rights Delegation
Description
This search detects the assignment of rights to accesss content from another mailbox. This is usually only assigned to a service account.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-12-15
- Author: Patrick Bareiss, Splunk
- ID: b25d2973-303e-47c8-bacd-52b61604c6a7
Annotations
ATT&CK
Kill Chain Phase
- Actions on Objectives
NIST
- DE.DP
- DE.AE
CIS20
- CIS 16
CVE
Search
1
2
3
4
5
6
7
8
`o365_management_activity` Operation=Add-MailboxPermission
| spath input=Parameters
| rename User AS src_user, Identity AS dest_user
| search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf
| stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
|`o365_suspicious_rights_delegation_filter`
Macros
The SPL above uses the following Macros:
Note that o365_suspicious_rights_delegation_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
- Operation
- Parameters
How To Implement
You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
Known False Positives
Service Accounts
Associated Analytic story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
48.0 | 80 | 60 | User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1