O365 High Privilege Role Granted

Name:O365 High Privilege Role Granted
id:e78a1037-4548-4072-bb1b-ad99ae416426
version:3
date:2024-09-30
author:Mauricio Velazco, Splunk
status:production
type:TTP
Description:The following analytic detects when high-privilege roles such as "Exchange Administrator," "SharePoint Administrator," or "Global Administrator" are granted within Office 365. It leverages O365 audit logs to identify events where these roles are assigned to any user or service account. This activity is significant for SOCs as these roles provide extensive permissions, allowing broad access and control over critical resources and data. If confirmed malicious, this could enable attackers to gain significant control over O365 resources, access, modify, or delete critical data, and compromise the overall security and functionality of the O365 environment.
Data_source:

• -O365 Add member to role.

search:`o365_management_activity` Operation="Add member to role." Workload=AzureActiveDirectory
| eval role_id = mvindex('ModifiedProperties{}.NewValue',2)
| eval role_name = mvindex('ModifiedProperties{}.NewValue',1)
| where role_id IN ("29232cdf-9323-42fd-ade2-1d097af3e4de", "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "62e90394-69f5-4237-9190-012177145e10")
| stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_high_privilege_role_granted_filter`

how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives:Privilege roles may be assigned for legitimate purposes, filter as needed.
References:
  -https://attack.mitre.org/techniques/T1098/003/
  -https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
  -https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide
  -https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role
drilldown_searches:
 name:'View the detection results for - "$user$"'
 search:'%original_detection_search% | search user = "$user$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Office 365 Persistence Mechanisms'
  asset_type:O365 Tenant
  confidence:60
  impact:80
  message:$user$ granted high privilege roles to $ObjectId$
  mitre_attack_id:
    - 'T1098'
    - 'T1098.003'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  risk_score:48
  required_fields:
    - '_time'
    - 'Operation'
    - 'Workload'
    - 'ModifiedProperties{}.NewValue'
    - 'user'
    - 'ObjectId'
  security_domain:identity

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log
  source: o365
  sourcetype: o365:management:activity
manual_test:None