Analytics Story: Office 365 Persistence Mechanisms

Description

Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.

Why it matters

Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Persistence Mechanisms" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
O365 Add App Role Assignment Grant User Cloud Account, Create Account TTP
O365 Added Service Principal Cloud Account, Create Account TTP
O365 Admin Consent Bypassed by Service Principal Additional Cloud Roles TTP
O365 Advanced Audit Disabled Impair Defenses, Disable or Modify Cloud Logs TTP
O365 Application Registration Owner Added Account Manipulation TTP
O365 ApplicationImpersonation Role Assigned Account Manipulation, Additional Email Delegate Permissions TTP
O365 Bypass MFA via Trusted IP Disable or Modify Cloud Firewall, Impair Defenses TTP
O365 Disable MFA Modify Authentication Process TTP
O365 Email Security Feature Changed Impair Defenses, Disable or Modify Cloud Logs, Disable or Modify Tools TTP
O365 FullAccessAsApp Permission Assigned Additional Email Delegate Permissions, Additional Cloud Roles TTP
O365 High Privilege Role Granted Account Manipulation, Additional Cloud Roles TTP
O365 Mailbox Inbox Folder Shared with All Users Email Collection, Remote Email Collection TTP
O365 Mailbox Read Access Granted to Application Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles TTP
O365 Multiple Service Principals Created by SP Cloud Account Anomaly
O365 Multiple Service Principals Created by User Cloud Account Anomaly
O365 New Federated Domain Added Cloud Account, Create Account TTP
O365 New MFA Method Registered Account Manipulation, Device Registration TTP
O365 Privileged Graph API Permission Assigned Security Account Manager TTP
O365 Service Principal New Client Credentials Account Manipulation, Additional Cloud Credentials TTP
O365 Tenant Wide Admin Consent Granted Account Manipulation, Additional Cloud Roles TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
O365 N/A o365:management:activity o365
O365 Add app role assignment grant to user. N/A o365:management:activity o365
O365 Add app role assignment to service principal. N/A o365:management:activity o365
O365 Add member to role. N/A o365:management:activity o365
O365 Add owner to application. N/A o365:management:activity o365
O365 Add service principal. N/A o365:management:activity o365
O365 Change user license. N/A o365:management:activity o365
O365 Consent to application. N/A o365:management:activity o365
O365 Disable Strong Authentication. N/A o365:management:activity o365
O365 ModifyFolderPermissions N/A o365:management:activity o365
O365 Set Company Information. N/A o365:management:activity o365
O365 Update application. N/A o365:management:activity o365
O365 Update user. N/A o365:management:activity o365

References


Source: GitHub | Version: 1