Merge branch 'develop' into nterl0k-t1053-suspicious-task-lookups

splunk · Feb 28, 2025 · a7d24fb · a7d24fb
2 parents 489bcc4 + f0857d6
commit a7d24fb
Show file tree

Hide file tree

Showing 9 changed files with 626 additions and 0 deletions.
diff --git a/data_sources/office_365_reporting_message_trace.yml b/data_sources/office_365_reporting_message_trace.yml
@@ -0,0 +1,73 @@
+name: Office 365 Reporting Message Trace
+id: b637788e-fcf0-44fa-86ea-cab81193f939
+version: 1
+date: '2025-02-28'
+author: Steven Dick
+description: Data source object for Office 365 Reporting Message Trace
+source: o365
+sourcetype: o365:reporting:messagetrace
+separator: Organization
+supported_TA:
+- name: Splunk Microsoft Office 365 Add-on
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.8.0
+fields:
+- FromIP
+- Index
+- MessageId
+- MessageTraceId
+- Organization
+- Received
+- RecipientAddress
+- SenderAddress
+- Size
+- Status
+- Subject
+- ToIP
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _subsecond
+- _time
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- eventtype
+- host
+- index
+- internal_message_id
+- linecount
+- message_id
+- punct
+- recipient
+- recipient_count
+- recipient_domain
+- size
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_user
+- src_user_domain
+- status_code
+- subject
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor_product
+example_log: '{"Organization": "attackrange.onmicrosoft.com", "MessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "Received": "2025-01-16T21:06:46.832439", "SenderAddress": "victim_2@attack_range.lan", "RecipientAddress": "[email protected]", "Subject": "Accounts and Passwords", "Status": "Delivered", "ToIP": "2607:f8b0:400e:c0d::1a", "FromIP": "189.135.168.197", "Size": 33584, "MessageTraceId": "3567c8ef-cc17-4a3f-d166-08dd3161e4fc", "Index": 3035}'
diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml
@@ -0,0 +1,67 @@
+name: O365 Email Hard Delete Excessive Volume
+id: c7fe0949-348a-41ce-8f17-a09a7fe5fd7d
+version: 1
+date: '2025-01-20'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic identifies when an O365 email account hard deletes an excessive number of emails within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to permanently purge a large amount of items from the mailbox. Threat actors may attempt to remove evidence of their activity by purging items from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors.
+data_source: 
+- Office 365 Universal Audit Log
+search: |-
+  `o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions"))
+  | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2))
+  | bin _time span=1hr
+  | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, latest(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(subject) as count by _time,user
+  | where count > 50 OR file_size > 10
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_email_hard_delete_excessive_volume_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
+known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert.
+references:
+- https://attack.mitre.org/techniques/T1114/
+- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf
+- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate Email for $user$ 
+  search: '`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The user $user$ deleted an excessing number of emails [$count$] within a short timeframe
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: src
+    type: ip_address
+tags:
+  analytic_story: 
+  - Office 365 Account Takeover
+  - Suspicious Emails
+  - Data Destruction
+  asset_type: O365 Tenant
+  mitre_attack_id: 
+  - T1070.008
+  - T1485
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log
+    source: o365
+    sourcetype: o365:management:activity
diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml
@@ -0,0 +1,64 @@
+name: O365 Email New Inbox Rule Created
+id: 449f525a-7b42-47be-96a7-d9724e336c19
+version: 1
+date: '2025-01-20'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic identifies the creation of new email inbox rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters that may indicate mail forwarding, removal, or obfuscation. Inbox rule creation is a typical end-user activity however attackers also leverage this technique for multiple reasons.
+data_source: 
+- Office 365 Universal Audit Log
+search: |-
+  `o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder)
+  | eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = if(match(ClientIP, "^\["), ltrim(mvindex(split(ClientIP, "]:"), 0), "["), mvindex(split(ClientIP,":"),0)), desc = Name, action = 'Parameters{}.Name'
+
+  | stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `o365_email_new_inbox_rule_created_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
+known_false_positives: Users may create email rules for legitimate purposes. Filter as needed.
+references:
+- https://attack.mitre.org/techniques/T1114/
+- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf
+- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate Inbox Rules for $user$ 
+  search: '`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) AND UserId = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A new email inbox rule was created for $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 10
+  threat_objects:
+  - field: desc
+    type: signature
+tags:
+  analytic_story: 
+  - Office 365 Collection Techniques
+  asset_type: O365 Tenant  
+  mitre_attack_id: 
+  - T1114.003
+  - T1564.008
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: audit
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log
+    source: o365
+    sourcetype: o365:management:activity
diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml
@@ -0,0 +1,86 @@
+name: O365 Email Password and Payroll Compromise Behavior
+id: e36de71a-6bdc-4002-98ff-e3e51b0d8f96
+version: 1
+date: '2025-01-20'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies when an O365 email recipient receives and then deletes emails for the combination of both password and banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account.
+data_source: 
+- Office 365 Universal Audit Log
+- Office 365 Reporting Message Trace
+search: |-
+  `o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*")
+  | eval mailtime = _time
+  | bin _time span=4hr
+  | eval user = lower(RecipientAddress)
+  | eval InternetMessageId = lower(MessageId)
+  | join InternetMessageId, user max=0
+    [
+    | search `o365_management_activity` Workload=Exchange Operation IN ("SoftDelete","HardDelete")
+    | spath path=AffectedItems{}  output=AffectedItemSplit
+    | fields _time,ClientIP,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit 
+    | mvexpand AffectedItemSplit | spath input=AffectedItemSplit
+    | search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") 
+    | eval deltime = _time
+    | bin _time span=4hr
+    | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId)
+    ]
+  | stats values(ClientInfoString) as http_user_agent, values(ClientIP) as src, values(Subject) as subject, dc(Subject) as subject_count, values(Operation) as action, values(ResultStatus) as result, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,_time
+  | search subject IN ("*banking*","*direct deposit*","*pay-to*") AND subject IN ("*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_email_password_and_payroll_compromise_behavior_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events.
+known_false_positives: Unknown, unlikely.
+references:
+- https://attack.mitre.org/techniques/T1114/
+- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf
+- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate Email for $user$ 
+  search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*password*","*passcode*") RecipientAddress = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The user $user$ received and deleted password and payroll change emails within a short timeframe
+  risk_objects:
+  - field: user
+    type: user
+    score: 90
+  threat_objects:
+  - field: src
+    type: ip_address
+tags:
+  analytic_story: 
+  - Office 365 Account Takeover
+  - Office 365 Collection Techniques
+  - Suspicious Emails
+  - Data Destruction
+  asset_type: O365 Tenant  
+  mitre_attack_id: 
+  - T1070.008
+  - T1485
+  - T1114.001
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log
+    source: o365
+    sourcetype: o365:management:activity
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log
+    source: o365_messagetrace
+    sourcetype: o365:reporting:messagetrace