diff --git a/data_sources/office_365_reporting_message_trace.yml b/data_sources/office_365_reporting_message_trace.yml new file mode 100644 index 0000000000..cc8c4aa082 --- /dev/null +++ b/data_sources/office_365_reporting_message_trace.yml @@ -0,0 +1,73 @@ +name: Office 365 Reporting Message Trace +id: b637788e-fcf0-44fa-86ea-cab81193f939 +version: 1 +date: '2025-02-28' +author: Steven Dick +description: Data source object for Office 365 Reporting Message Trace +source: o365 +sourcetype: o365:reporting:messagetrace +separator: Organization +supported_TA: +- name: Splunk Microsoft Office 365 Add-on + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 +fields: +- FromIP +- Index +- MessageId +- MessageTraceId +- Organization +- Received +- RecipientAddress +- SenderAddress +- Size +- Status +- Subject +- ToIP +- _bkt +- _cd +- _eventtype_color +- _indextime +- _raw +- _serial +- _si +- _sourcetype +- _subsecond +- _time +- action +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- eventtype +- host +- index +- internal_message_id +- linecount +- message_id +- punct +- recipient +- recipient_count +- recipient_domain +- size +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_user +- src_user_domain +- status_code +- subject +- tag +- tag::action +- tag::eventtype +- timeendpos +- timestartpos +- vendor_product +example_log: '{"Organization": "attackrange.onmicrosoft.com", "MessageId": "", "Received": "2025-01-16T21:06:46.832439", "SenderAddress": "victim_2@attack_range.lan", "RecipientAddress": "attacker_outside@gmail.com", "Subject": "Accounts and Passwords", "Status": "Delivered", "ToIP": "2607:f8b0:400e:c0d::1a", "FromIP": "189.135.168.197", "Size": 33584, "MessageTraceId": "3567c8ef-cc17-4a3f-d166-08dd3161e4fc", "Index": 3035}' \ No newline at end of file diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml new file mode 100644 index 0000000000..8b1c6f407e --- /dev/null +++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml @@ -0,0 +1,67 @@ +name: O365 Email Hard Delete Excessive Volume +id: c7fe0949-348a-41ce-8f17-a09a7fe5fd7d +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account hard deletes an excessive number of emails within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to permanently purge a large amount of items from the mailbox. Threat actors may attempt to remove evidence of their activity by purging items from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) + | bin _time span=1hr + | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, latest(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(subject) as count by _time,user + | where count > 50 OR file_size > 10 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_hard_delete_excessive_volume_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ deleted an excessing number of emails [$count$] within a short timeframe + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + - Suspicious Emails + - Data Destruction + asset_type: O365 Tenant + mitre_attack_id: + - T1070.008 + - T1485 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml new file mode 100644 index 0000000000..07a601a58b --- /dev/null +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -0,0 +1,64 @@ +name: O365 Email New Inbox Rule Created +id: 449f525a-7b42-47be-96a7-d9724e336c19 +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies the creation of new email inbox rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters that may indicate mail forwarding, removal, or obfuscation. Inbox rule creation is a typical end-user activity however attackers also leverage this technique for multiple reasons. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder) + | eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = if(match(ClientIP, "^\["), ltrim(mvindex(split(ClientIP, "]:"), 0), "["), mvindex(split(ClientIP,":"),0)), desc = Name, action = 'Parameters{}.Name' + + | stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_new_inbox_rule_created_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Users may create email rules for legitimate purposes. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Inbox Rules for $user$ + search: '`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A new email inbox rule was created for $user$ + risk_objects: + - field: user + type: user + score: 10 + threat_objects: + - field: desc + type: signature +tags: + analytic_story: + - Office 365 Collection Techniques + asset_type: O365 Tenant + mitre_attack_id: + - T1114.003 + - T1564.008 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml new file mode 100644 index 0000000000..e5add0c19d --- /dev/null +++ b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml @@ -0,0 +1,86 @@ +name: O365 Email Password and Payroll Compromise Behavior +id: e36de71a-6bdc-4002-98ff-e3e51b0d8f96 +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies when an O365 email recipient receives and then deletes emails for the combination of both password and banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account. +data_source: +- Office 365 Universal Audit Log +- Office 365 Reporting Message Trace +search: |- + `o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval mailtime = _time + | bin _time span=4hr + | eval user = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user max=0 + [ + | search `o365_management_activity` Workload=Exchange Operation IN ("SoftDelete","HardDelete") + | spath path=AffectedItems{} output=AffectedItemSplit + | fields _time,ClientIP,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit + | mvexpand AffectedItemSplit | spath input=AffectedItemSplit + | search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval deltime = _time + | bin _time span=4hr + | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId) + ] + | stats values(ClientInfoString) as http_user_agent, values(ClientIP) as src, values(Subject) as subject, dc(Subject) as subject_count, values(Operation) as action, values(ResultStatus) as result, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,_time + | search subject IN ("*banking*","*direct deposit*","*pay-to*") AND subject IN ("*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_password_and_payroll_compromise_behavior_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Unknown, unlikely. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*password*","*passcode*") RecipientAddress = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ received and deleted password and payroll change emails within a short timeframe + risk_objects: + - field: user + type: user + score: 90 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: O365 Tenant + mitre_attack_id: + - T1070.008 + - T1485 + - T1114.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml new file mode 100644 index 0000000000..7390f3ef76 --- /dev/null +++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml @@ -0,0 +1,87 @@ +name: O365 Email Receive and Hard Delete Takeover Behavior +id: b66aeaa4-586f-428b-8a2b-c4fd3039d8d3 +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email recipient receives and then deletes emails related to password or banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account. +data_source: +- Office 365 Universal Audit Log +- Office 365 Reporting Message Trace +search: |- + `o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval mailtime = _time + | bin _time span=4hr + | eval user = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user max=0 + [ + | search `o365_management_activity` Workload=Exchange Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions") + | spath path=AffectedItems{} output=AffectedItemSplit + | fields _time,ClientProcessName,ClientIPAddress,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit,Folder.Path + | mvexpand AffectedItemSplit | spath input=AffectedItemSplit + | search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval deltime = _time + | bin _time span=4hr + | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId), subject = Subject + ] + | stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_receive_and_hard_delete_takeover_behavior_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Possible new user/account onboarding processes. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") AND RecipientAddress = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ received and deleted an email within a short timeframe titled [$subject$] which may contain password or banking information + risk_objects: + - field: user + type: user + score: 80 + threat_objects: + - field: subject + type: email_subject + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: O365 Tenant + mitre_attack_id: + - T1070.008 + - T1485 + - T1114.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml new file mode 100644 index 0000000000..1680afe5af --- /dev/null +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -0,0 +1,89 @@ +name: O365 Email Send and Hard Delete Exfiltration Behavior +id: dd7798cf-c4f5-4114-ad0f-beacd9a33708 +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account sends and then hard deletes an email to an external recipient within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of exfiltration activity. This behavior is often seen when threat actors want to reduce the probability of detection by the compromised account owner. +data_source: +- Office 365 Universal Audit Log +- Office 365 Reporting Message Trace +search: |- + `o365_messagetrace` Status=Delivered + | eval mailtime = _time + | bin _time span=1hr + | eval user = lower(SenderAddress), recipient = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user, max=0 + [ + | search `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') + | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) + | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) + | bin _time span=1hr + | stats values(sender) as sender, values(ClientInfoString) as http_user_agent, values(InternetMessageId) as InternetMessageId, values(file_name) as file_name, sum(file_size) as file_size, values(sendtime) as firstTime, values(deltime) as lastTime values(Operation) as signature, dc(Operation) as opcount, count by _time,subject,user + | where opcount > 1 AND firstTime < lastTime + ] + | stats values(sender) as sender, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, sum(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime count by subject,user,recipient,Organization + | eval externalRecipient = if(match(lower(recipient),mvindex(split(lower(Organization),"."),0)),0,1) + | where externalRecipient = 1 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_send_and_hard_delete_exfiltration_behavior_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ sent and hard deleted an email to an external recipient [$recipient$] within a short timeframe + risk_objects: + - field: user + type: user + score: 40 + - field: recipient + type: user + score: 40 + threat_objects: + - field: subject + type: email_subject +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: O365 Tenant + mitre_attack_id: + - T1114.001 + - T1070.008 + - T1485 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml new file mode 100644 index 0000000000..a2ff074eea --- /dev/null +++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml @@ -0,0 +1,73 @@ +name: O365 Email Send and Hard Delete Suspicious Behavior +id: c97b3d72-0a47-46f9-b742-b89f1cc2d551 +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account sends and then hard deletes email with within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of activity. Threat actors often use this technique to prevent defenders and victims from knowing the account has been compromised. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) + | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) + | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) + | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(sendtime) as firstTime, max(deltime) as lastTime, dc(Operation) as opcount, count by subject,user + | eval timediff = tonumber(lastTime) - tonumber(firstTime) + | where opcount > 1 AND firstTime < lastTime AND timediff < 3600 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_send_and_hard_delete_suspicious_behavior_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search [CHANGEME_FIELD] = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$" AND "$subject$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ sent and hard deleted an email within a short timeframe + risk_objects: + - field: user + type: user + score: 20 + threat_objects: + - field: src + type: ip_address + - field: subject + type: email_subject +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: O365 Tenant + mitre_attack_id: + - T1114.001 + - T1070.008 + - T1485 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml new file mode 100644 index 0000000000..edcedcc498 --- /dev/null +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -0,0 +1,84 @@ +name: O365 Email Send Attachments Excessive Volume +id: 70a050a2-8537-488a-a628-b60a9558d96a +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_messagetrace` Status=Delivered + | eval mailtime = _time + | bin _time span=1hr + | eval user = lower(SenderAddress), recipient = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user, _time max=0 + [ + | search `o365_management_activity` Workload=Exchange Operation IN ("Send","SendAs","SendOnBehalf") + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; "))), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') + | bin _time span=1hr + | eval file_name = mvfilter(NOT match(file_name, "\.jpg |\.png |\.jpeg |\.gif ")) + | search file_name=* + | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(file_name) as count by _time,user,InternetMessageId + | where count > 25 + | eval file_name = mvjoin(file_name,"||") + ] + | eval file_name = split(file_name,"||") + | stats values(sender) as sender, values(recipient) as recipient, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, max(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime max(count) as count by subject,user,Organization,InternetMessageId + | eval recipient = mvmap(recipient, if(match(mvindex(split(lower(recipient),"@"),1),mvindex(split(lower(user),"@"),1)), null(),recipient)) + | search recipient = * + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_send_attachments_excessive_volume_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Users or processes that are send a large number of attachments may trigger this alert, adjust thresholds accordingly. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) AND Item.Attachments=* AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ sent an excessive number of email attachments [$count$] to external recipient(s) within a short timeframe + risk_objects: + - field: user + type: user + score: 20 + threat_objects: + - field: recipient + type: email_address +tags: + analytic_story: + - Office 365 Account Takeover + - Suspicious Emails + asset_type: O365 Tenant + mitre_attack_id: + - T1070.008 + - T1485 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace diff --git a/macros/o365_messagetrace.yml b/macros/o365_messagetrace.yml new file mode 100644 index 0000000000..d5952e2539 --- /dev/null +++ b/macros/o365_messagetrace.yml @@ -0,0 +1,3 @@ +definition: sourcetype IN ("ms:o365:reporting:messagetrace","o365:reporting:messagetrace") +description: Customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. +name: o365_messagetrace