Analytics Story: Office 365 Persistence Mechanisms

Description

Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.

Why it matters

Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Persistence Mechanisms" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.

Detections

Data Sources

References

• https://attack.mitre.org/tactics/TA0003/
• https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
• https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
• https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
• https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en
• https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf
• https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html
• https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners
• https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf

Source: GitHub | Version: 1