diff --git a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml index e6d123001a..3414691279 100644 --- a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml +++ b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml @@ -21,7 +21,7 @@ references: - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: Office 365 confidence: 50 impact: 50 diff --git a/detections/cloud/o365_add_app_role_assignment_grant_user.yml b/detections/cloud/o365_add_app_role_assignment_grant_user.yml index c990a59a94..002765788d 100644 --- a/detections/cloud/o365_add_app_role_assignment_grant_user.yml +++ b/detections/cloud/o365_add_app_role_assignment_grant_user.yml @@ -25,7 +25,7 @@ references: - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms - Cloud Federated Credential Abuse asset_type: Office 365 confidence: 60 diff --git a/detections/cloud/o365_added_service_principal.yml b/detections/cloud/o365_added_service_principal.yml index 442c83c948..9a00fc5e77 100644 --- a/detections/cloud/o365_added_service_principal.yml +++ b/detections/cloud/o365_added_service_principal.yml @@ -20,7 +20,7 @@ references: - https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms - Cloud Federated Credential Abuse asset_type: Office 365 confidence: 60 diff --git a/detections/cloud/o365_advanced_audit_disabled.yml b/detections/cloud/o365_advanced_audit_disabled.yml index 7f8ada9c5e..bf51cf2e90 100644 --- a/detections/cloud/o365_advanced_audit_disabled.yml +++ b/detections/cloud/o365_advanced_audit_disabled.yml @@ -28,7 +28,7 @@ references: - https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 confidence: 80 impact: 40 diff --git a/detections/cloud/o365_application_registration_owner_added.yml b/detections/cloud/o365_application_registration_owner_added.yml index b9d7425ba4..5ea58b3a7b 100644 --- a/detections/cloud/o365_application_registration_owner_added.yml +++ b/detections/cloud/o365_application_registration_owner_added.yml @@ -21,7 +21,7 @@ references: - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 atomic_guid: - UPDATE atomic_guid diff --git a/detections/cloud/o365_applicationimpersonation_role_assigned.yml b/detections/cloud/o365_applicationimpersonation_role_assigned.yml index 5395a54c6f..209d659b96 100644 --- a/detections/cloud/o365_applicationimpersonation_role_assigned.yml +++ b/detections/cloud/o365_applicationimpersonation_role_assigned.yml @@ -19,7 +19,7 @@ references: - https://www.mandiant.com/media/17656 tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 confidence: 70 impact: 80 diff --git a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml index f90bca5703..29e28f51fd 100644 --- a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml +++ b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml @@ -26,7 +26,7 @@ references: - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 confidence: 60 impact: 70 diff --git a/detections/cloud/o365_disable_mfa.yml b/detections/cloud/o365_disable_mfa.yml index b1b529152e..fe8a7a0c0f 100644 --- a/detections/cloud/o365_disable_mfa.yml +++ b/detections/cloud/o365_disable_mfa.yml @@ -20,7 +20,7 @@ references: - https://attack.mitre.org/techniques/T1556/ tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 confidence: 80 impact: 80 diff --git a/detections/cloud/o365_excessive_authentication_failures_alert.yml b/detections/cloud/o365_excessive_authentication_failures_alert.yml index 13a8f65441..c0dbe59888 100644 --- a/detections/cloud/o365_excessive_authentication_failures_alert.yml +++ b/detections/cloud/o365_excessive_authentication_failures_alert.yml @@ -22,7 +22,7 @@ references: - https://attack.mitre.org/techniques/T1110/ tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: Office 365 confidence: 80 impact: 80 diff --git a/detections/cloud/o365_excessive_sso_logon_errors.yml b/detections/cloud/o365_excessive_sso_logon_errors.yml index 942d3a6328..eca7a82788 100644 --- a/detections/cloud/o365_excessive_sso_logon_errors.yml +++ b/detections/cloud/o365_excessive_sso_logon_errors.yml @@ -17,7 +17,7 @@ references: - https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/ tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover - Cloud Federated Credential Abuse asset_type: Office 365 confidence: 80 diff --git a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml index 7c9f255de6..607fa01440 100644 --- a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml @@ -28,7 +28,7 @@ references: - https://github.com/AlteredSecurity/365-Stealer tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: Office 365 tenant confidence: 50 impact: 80 diff --git a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml index e5060df3ea..49939ef407 100644 --- a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml @@ -19,7 +19,7 @@ references: - https://attack.mitre.org/techniques/T1110/001/ tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: O365 tenant confidence: 70 impact: 50 diff --git a/detections/cloud/o365_high_privilege_role_granted.yml b/detections/cloud/o365_high_privilege_role_granted.yml index 8b83bfb1f7..29bac021e1 100644 --- a/detections/cloud/o365_high_privilege_role_granted.yml +++ b/detections/cloud/o365_high_privilege_role_granted.yml @@ -25,7 +25,7 @@ references: - https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 tenant confidence: 60 impact: 80 diff --git a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml index 2f8002df88..cb2490fcf7 100644 --- a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml @@ -29,7 +29,7 @@ references: - https://github.com/AlteredSecurity/365-Stealer tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: Office 365 tenant confidence: 50 impact: 80 diff --git a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml index 4eb7c21d0f..86051a1f83 100644 --- a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml +++ b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml @@ -19,7 +19,7 @@ references: - https://www.blackhillsinfosec.com/abusing-exchange-mailbox-permissions-mailsniper/ tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 Tenant confidence: 70 impact: 80 diff --git a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml index 2e868d7068..a376a618cd 100644 --- a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml +++ b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml @@ -35,7 +35,7 @@ references: - https://graphpermissions.merill.net/permission/Mail.Read tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 tenant confidence: 50 impact: 90 diff --git a/detections/cloud/o365_multi_source_failed_authentications_spike.yml b/detections/cloud/o365_multi_source_failed_authentications_spike.yml index c0065c47d2..9f6f6a428a 100644 --- a/detections/cloud/o365_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/o365_multi_source_failed_authentications_spike.yml @@ -23,7 +23,7 @@ references: - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: O365 tenant atomic_guid: [] confidence: 60 diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml index 41e8716aa6..81fe6f9aaa 100644 --- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml @@ -21,7 +21,7 @@ references: - https://www.youtube.com/watch?v=SK1zgqaAZ2E tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: Office 365 confidence: 80 impact: 60 diff --git a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml index 767e168056..1c2ce24fd4 100644 --- a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml @@ -19,7 +19,7 @@ references: - https://attack.mitre.org/techniques/T1621/ tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: Office 365 tenant confidence: 80 impact: 60 diff --git a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml index 1efce6d94e..c3f3dcb5e0 100644 --- a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml @@ -21,7 +21,7 @@ references: - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: Office 365 tenant confidence: 90 impact: 70 diff --git a/detections/cloud/o365_new_federated_domain_added.yml b/detections/cloud/o365_new_federated_domain_added.yml index 8f0ed953f7..5005f8c56e 100644 --- a/detections/cloud/o365_new_federated_domain_added.yml +++ b/detections/cloud/o365_new_federated_domain_added.yml @@ -24,7 +24,7 @@ references: - https://o365blog.com/post/aadbackdoor/ tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms - Cloud Federated Credential Abuse asset_type: Office 365 confidence: 80 diff --git a/detections/cloud/o365_new_mfa_method_registered.yml b/detections/cloud/o365_new_mfa_method_registered.yml index cc82d2b7b4..8adc6fc608 100644 --- a/detections/cloud/o365_new_mfa_method_registered.yml +++ b/detections/cloud/o365_new_mfa_method_registered.yml @@ -30,7 +30,7 @@ references: - https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 tenant confidence: 50 impact: 60 diff --git a/detections/cloud/o365_pst_export_alert.yml b/detections/cloud/o365_pst_export_alert.yml index b0987aa95b..2916c72669 100644 --- a/detections/cloud/o365_pst_export_alert.yml +++ b/detections/cloud/o365_pst_export_alert.yml @@ -19,7 +19,7 @@ references: - https://attack.mitre.org/techniques/T1114/ tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms - Data Exfiltration asset_type: Office 365 confidence: 60 diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml index 4092071bf6..1c8d042f0c 100644 --- a/detections/cloud/o365_service_principal_new_client_credentials.yml +++ b/detections/cloud/o365_service_principal_new_client_credentials.yml @@ -23,7 +23,7 @@ references: - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 confidence: 50 impact: 70 diff --git a/detections/cloud/o365_suspicious_admin_email_forwarding.yml b/detections/cloud/o365_suspicious_admin_email_forwarding.yml index 1827d92896..58ae2d08e3 100644 --- a/detections/cloud/o365_suspicious_admin_email_forwarding.yml +++ b/detections/cloud/o365_suspicious_admin_email_forwarding.yml @@ -19,7 +19,7 @@ known_false_positives: unknown references: [] tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms - Data Exfiltration asset_type: Office 365 confidence: 60 diff --git a/detections/cloud/o365_suspicious_rights_delegation.yml b/detections/cloud/o365_suspicious_rights_delegation.yml index beeff9875c..b92fed8b5e 100644 --- a/detections/cloud/o365_suspicious_rights_delegation.yml +++ b/detections/cloud/o365_suspicious_rights_delegation.yml @@ -20,7 +20,7 @@ references: - https://attack.mitre.org/techniques/T1114/002/ tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 confidence: 60 impact: 80 diff --git a/detections/cloud/o365_suspicious_user_email_forwarding.yml b/detections/cloud/o365_suspicious_user_email_forwarding.yml index 7716602deb..a8e728b4b1 100644 --- a/detections/cloud/o365_suspicious_user_email_forwarding.yml +++ b/detections/cloud/o365_suspicious_user_email_forwarding.yml @@ -19,7 +19,7 @@ known_false_positives: unknown references: [] tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms - Data Exfiltration asset_type: Office 365 confidence: 60 diff --git a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml index d94610ea90..a5c9575211 100644 --- a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml @@ -25,7 +25,7 @@ references: - https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ tags: analytic_story: - - O365 Persistence Mechanisms + - Office 365 Persistence Mechanisms asset_type: Office 365 confidence: 50 impact: 90 diff --git a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml index 0279359c74..c7152b7b52 100644 --- a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml @@ -27,7 +27,7 @@ references: - https://github.com/AlteredSecurity/365-Stealer tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: Office 365 tenant confidence: 100 impact: 30 diff --git a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml index 6de0713c03..8fb4b05b43 100644 --- a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml @@ -24,7 +24,7 @@ references: - https://github.com/AlteredSecurity/365-Stealer tags: analytic_story: - - O365 Identity Compromise Techniques + - Office 365 Account Takeover asset_type: Office 365 tenant confidence: 100 impact: 30 diff --git a/stories/o365_identity_compromise_techniques.yml b/stories/o365_identity_compromise_techniques.yml index 05941b4f3b..b63734ac12 100644 --- a/stories/o365_identity_compromise_techniques.yml +++ b/stories/o365_identity_compromise_techniques.yml @@ -1,13 +1,13 @@ -name: O365 Identity Compromise Techniques +name: Office 365 Account Takeover id: d5f34d9d-d330-4f9e-a62e-ceb6f7bb1f85 version: 1 date: '2023-10-24' author: Mauricio Velazco, Splunk -description: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. The "O365 Identity Compromise Techniques" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Recognizing these early indicators is pivotal, forming the frontline of defense against unauthorized access and potential security incidents. +description: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. The "Office 365 Account Takeover" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Recognizing these early indicators is pivotal, forming the frontline of defense against unauthorized access and potential security incidents. narrative: Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments. references: [] tags: - analytic_story: O365 Identity Compromise Techniques + analytic_story: Office 365 Account Takeover category: - Adversary Tactics - Account Compromise diff --git a/stories/o365_persistence_mechanisms.yml b/stories/o365_persistence_mechanisms.yml index 8489fac34b..3e70bcb9c6 100644 --- a/stories/o365_persistence_mechanisms.yml +++ b/stories/o365_persistence_mechanisms.yml @@ -1,13 +1,13 @@ -name: O365 Persistence Mechanisms +name: Office 365 Persistence Mechanisms id: d230a106-0475-4605-a8d8-abaf4c31ced7 version: 1 date: '2023-10-17' author: Mauricio Velazco, Splunk -description: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. The "O365 Persistence Mechanisms" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. Recognizing these indicators is crucial, as persistent threats can lead to long-term data exfiltration, further system compromises, and a range of other malicious activities. Monitoring for signs of persistence ensures that organizations can detect and respond to these stealthy threats, safeguarding their O365 assets and data. +description: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. The "Office 365 Persistence Mechanisms" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. Recognizing these indicators is crucial, as persistent threats can lead to long-term data exfiltration, further system compromises, and a range of other malicious activities. Monitoring for signs of persistence ensures that organizations can detect and respond to these stealthy threats, safeguarding their O365 assets and data. narrative: Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments. references: [] tags: - analytic_story: O365 Persistence Mechanisms + analytic_story: Office 365 Persistence Mechanisms category: - Adversary Tactics - Account Compromise