From d82beadb4ec57e9b609b859fcd87097c6f39e6d8 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sat, 13 Apr 2024 15:28:33 -0400 Subject: [PATCH 1/2] Add files via upload --- .../T1098/T1098/o365_various_events.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 datasets/attack_techniques/T1098/T1098/o365_various_events.yml diff --git a/datasets/attack_techniques/T1098/T1098/o365_various_events.yml b/datasets/attack_techniques/T1098/T1098/o365_various_events.yml new file mode 100644 index 00000000..07427af1 --- /dev/null +++ b/datasets/attack_techniques/T1098/T1098/o365_various_events.yml @@ -0,0 +1,25 @@ +author: Steven Dick +id: a44c84cb-231b-4657-8386-0f5d4b8f183e +date: '2024-4-13' +description: 'Various Office 365 events sourced from the Universal Access Log, meant to duplicate other Azure detections without relying on using Azure event hubs in the MS Cloud Services add-on.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_various_events/o365_various_events.log +sourcetypes: +- o365:management:activity +references: +- https://attack.mitre.org/techniques/T1098 +- https://attack.mitre.org/techniques/T1484/002/ +- https://attack.mitre.org/techniques/T1136/003/ +- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference +- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide +- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal +- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 +- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html +- https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/ +- https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/ +- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf +- https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999 +- https://msrc.microsoft.com/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad/ +- https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration +- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360 \ No newline at end of file From 798fd14651956c3551bf180c3673cfd5d0a33fff Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sat, 13 Apr 2024 15:32:51 -0400 Subject: [PATCH 2/2] Intial uploads and consistency fixes --- .../o365_azure_workload_events/o365_azure_workload_events.log | 3 +++ .../o365_azure_workload_events.yml} | 0 2 files changed, 3 insertions(+) create mode 100644 datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log rename datasets/attack_techniques/T1098/{T1098/o365_various_events.yml => o365_azure_workload_events/o365_azure_workload_events.yml} (100%) diff --git a/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log new file mode 100644 index 00000000..ab6fa1b0 --- /dev/null +++ b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:425490f713e83ea96714014ce4ac8f7c09a4d3eb43c41a3a2977a88830fea5dc +size 24402 diff --git a/datasets/attack_techniques/T1098/T1098/o365_various_events.yml b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml similarity index 100% rename from datasets/attack_techniques/T1098/T1098/o365_various_events.yml rename to datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml