Analytics Story: Office 365 Persistence Mechanisms

Description

Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.

Why it matters

Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Persistence Mechanisms" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
O365 Add App Role Assignment Grant User Cloud Account TTP
O365 Added Service Principal Cloud Account TTP
O365 Admin Consent Bypassed by Service Principal Additional Cloud Roles TTP
O365 Advanced Audit Disabled Disable or Modify Cloud Logs TTP
O365 Application Registration Owner Added Account Manipulation TTP
O365 ApplicationImpersonation Role Assigned Additional Email Delegate Permissions TTP
O365 Bypass MFA via Trusted IP Disable or Modify Cloud Firewall TTP
O365 Disable MFA Modify Authentication Process TTP
O365 Email Security Feature Changed Disable or Modify Tools, Disable or Modify Cloud Logs TTP
O365 FullAccessAsApp Permission Assigned Additional Email Delegate Permissions, Additional Cloud Roles TTP
O365 High Privilege Role Granted Additional Cloud Roles TTP
O365 Mailbox Inbox Folder Shared with All Users Remote Email Collection TTP
O365 Mailbox Read Access Granted to Application Additional Cloud Roles, Remote Email Collection TTP
O365 Multiple Service Principals Created by SP Cloud Account Anomaly
O365 Multiple Service Principals Created by User Cloud Account Anomaly
O365 New Federated Domain Added Cloud Account TTP
O365 New MFA Method Registered Device Registration TTP
O365 Privileged Graph API Permission Assigned Security Account Manager TTP
O365 Service Principal New Client Credentials Additional Cloud Credentials TTP
O365 Tenant Wide Admin Consent Granted Additional Cloud Roles TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
O365 N/A o365:management:activity o365
O365 Add app role assignment grant to user. N/A o365:management:activity o365
O365 Add app role assignment to service principal. N/A o365:management:activity o365
O365 Add member to role. N/A o365:management:activity o365
O365 Add owner to application. N/A o365:management:activity o365
O365 Add service principal. N/A o365:management:activity o365
O365 Change user license. N/A o365:management:activity o365
O365 Consent to application. N/A o365:management:activity o365
O365 Disable Strong Authentication. N/A o365:management:activity o365
O365 ModifyFolderPermissions N/A o365:management:activity o365
O365 Set Company Information. N/A o365:management:activity o365
O365 Update application. N/A o365:management:activity o365
O365 Update user. N/A o365:management:activity o365
Office 365 Universal Audit Log N/A o365:management:activity o365

References


Source: GitHub | Version: 1