Office 365 Persistence Mechanisms
Description
Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication, Change
- Last Updated: 2023-10-17
- Author: Mauricio Velazco, Patrick Bareiss, Splunk
- ID: d230a106-0475-4605-a8d8-abaf4c31ced7
Narrative
Office 365 (O365) is Microsoft’s cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365’s centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The “Office 365 Persistence Mechanisms” analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. By monitoring signs of persistence, organizations can effectively detect and respond to stealthy threats, thereby protecting their O365 assets and data.
Detections
Reference
- https://attack.mitre.org/tactics/TA0003/
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
- https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
- https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en
- https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf
- https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html
- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners
- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf
source | version: 1