O365 External Guest User Invited
Description
The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall Backdooring and Hijacking Azure AD Accounts by Abusing External Identities
. This detection leverages the Universal Audit Log (UAL)/o365:management:activity sourcetype as a detection data source.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-04-11
- Author: Steven Dick
- ID: 8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa
Annotations
Kill Chain Phase
- Installation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
`o365_management_activity` Workload=AzureActiveDirectory AND Operation="Add user*" AND ModifiedProperties{}.NewValue="[*Guest*]" AND ModifiedProperties{}.NewValue="[*Invitation*]"
| eval user = (mvindex('ModifiedProperties{}.NewValue',5)), src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0))
| rex field=user "(?<user>[\\w\\.-]+@[\\w-]+\\.[\\w-]{2,4})"
| stats values(user) as user, min(_time) as firstTime, max(_time) as lastTime, count by Operation,Id,src_user
| rename Operation as signature, Id as signature_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_external_guest_user_invited_filter`
Macros
The SPL above uses the following Macros:
o365_external_guest_user_invited_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Operation
- ModifiedProperties{}.NewValue
- ModifiedProperties{}.Name
- UserId
- Id
- Workload
How To Implement
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Known False Positives
Administrator may legitimately invite external guest users. Filter as needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
25.0 | 50 | 50 | Azure Guest User $user$ invited by $src_user$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf
- https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999
- https://attack.mitre.org/techniques/T1136/003/
- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1