O365 Cross-Tenant Access Change
Description
The following analytic identifies when cross-tenant access/synchronization policies are changed in an Azure tenant. Adversaries have been observed altering victim cross-tenant policies as a method of lateral movement or maintaining persistent access to compromised environments. These policies should be considered sensitive and monitored for changes and/or loose configuration.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-04-11
- Author: Steven Dick
- ID: 7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
`o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add a partner to cross-tenant access setting.","Delete partner specific cross-tenant access setting.")
| eval user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0))
| stats values(Workload) as category, values(ClientIP) as src, values(ModifiedProperties{}.Name) as object_name, values(ModifiedProperties{}.NewValue) as object_attrs, count, min(_time) as firstTime, max(_time) as lastTime by Id,user,Operation
| rename Operation as signature, Id as signature_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_cross_tenant_access_change_filter`
Macros
The SPL above uses the following Macros:
o365_cross-tenant_access_change_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Operation
- ModifiedProperties{}.NewValue
- ModifiedProperties{}.Name
- UserId
- Workload
How To Implement
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Known False Positives
Business approved changes by known administrators.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
56.25 | 75 | 75 | The user [$user$] changed the Azure cross-tenant access settings for $object_name$ $object_attrs$ [$signature$] |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1484/002/
- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html
- https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/
- https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1