From f74a15dcd7de461656b0ccf9f186b5718fd58390 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 15:51:23 -0500 Subject: [PATCH 01/16] Add files via upload --- .../o365_exfiltration_via_file_access.yml | 78 +++++++++++++++++++ .../o365_exfiltration_via_file_download.yml | 75 ++++++++++++++++++ ...65_exfiltration_via_file_sync_download.yml | 77 ++++++++++++++++++ 3 files changed, 230 insertions(+) create mode 100644 detections/cloud/o365_exfiltration_via_file_access.yml create mode 100644 detections/cloud/o365_exfiltration_via_file_download.yml create mode 100644 detections/cloud/o365_exfiltration_via_file_sync_download.yml diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml new file mode 100644 index 0000000000..9478e196d8 --- /dev/null +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -0,0 +1,78 @@ +name: O365 Exfiltration via File Access +id: 80b44ae2-60ff-43f1-8e56-34beb49a340a +version: 1 +date: '2024-10-14' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts. +data_source: +- Office 365 Universal Audit Log +search: '`o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg) +| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") +| where NOT match(SiteUrl,user_flat) +| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl +| eventstats avg(count) as avg stdev(count) as stdev by Workload +| rename SiteUrl as file_path,Workload as app +| where count > 50 AND count > (avg + (3*(stdev))) +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_exfiltration_via_file_access_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed. +references: +- https://attack.mitre.org/techniques/T1567/exfil +- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data +- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate file access by $user$ + search: '`o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: Cloud + confidence: 50 + impact: 40 + message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$ + mitre_attack_id: + - T1567 + - T1530 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - UserId + - SourceFileExtension + - Workload + - SiteUrl + risk_score: 20 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml new file mode 100644 index 0000000000..af1d84e317 --- /dev/null +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -0,0 +1,75 @@ +name: O365 Exfiltration via File Download +id: 06b23921-bfe2-4576-89dd-616f06e129da +version: 1 +date: '2024-10-14' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. +data_source: +- Office 365 Universal Audit Log +search: '`o365_management_activity` Operation IN ("filedownloaded") +| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") +| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl +| rename SiteUrl as file_path,Workload as app +| where count > 50 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_exfiltration_via_file_download_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: It is possible that certain file download scenarios may trigger this alert, specifically OneDrive syncing. Adjust threshold and filtering as needed. +references: +- https://attack.mitre.org/techniques/T1567/exfil +- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data +- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate file downloads by $user$ + search: '`o365_management_activity` Operation IN ("filedownloaded") UserId="$UserId$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: Cloud + confidence: 50 + impact: 50 + message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ + mitre_attack_id: + - T1567 + - T1530 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - UserId + - Workload + - SiteUrl + risk_score: 25 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml new file mode 100644 index 0000000000..ae17efbac8 --- /dev/null +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -0,0 +1,77 @@ +name: O365 Exfiltration via File Sync Download +id: 350837b5-13d3-4c06-b688-db07afbe5050 +version: 1 +date: '2024-10-14' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an excessive number of files are sync from o365 by the same user over a short period of time. A malicious actor abuse the user-agent string through GUI or API access to evade triggering the FileDownloaded event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. +data_source: +- Office 365 Universal Audit Log +search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*" +| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") +| where NOT match(SiteUrl,user_flat) +| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl +| rename SiteUrl as file_path,Workload as app +| where count > 50 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_exfiltration_via_file_sync_download_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: It is possible that certain file sync scenarios may trigger this alert, specifically OneNote. Adjust threshold and filtering as needed. +references: +- https://attack.mitre.org/techniques/T1567/exfil +- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data +- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate file sync downloads by $user$ + search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserId="$UserId$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: Cloud + confidence: 50 + impact: 50 + message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$ + mitre_attack_id: + - T1567 + - T1530 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Operation + - UserAgent + - Workload + - UserId + - SiteUrl + risk_score: 25 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file From e29b0b3f01f071cfda420131f26ad73b148fb7e1 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 15:58:20 -0500 Subject: [PATCH 02/16] Update o365_exfiltration_via_file_sync_download.yml --- detections/cloud/o365_exfiltration_via_file_sync_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index ae17efbac8..f02c5a3a93 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From 8297766f25e11948e5f2f0e774a6bf87686f984e Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 15:58:44 -0500 Subject: [PATCH 03/16] Update o365_exfiltration_via_file_download.yml --- detections/cloud/o365_exfiltration_via_file_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index af1d84e317..c20775daf4 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From 039ef36865181239ace2c2229911749d138f4451 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 15:59:01 -0500 Subject: [PATCH 04/16] Update o365_exfiltration_via_file_access.yml --- detections/cloud/o365_exfiltration_via_file_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index 9478e196d8..023bfd6968 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -75,4 +75,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From 2fdbb800e2834f538c6731660d057641e82e3fc2 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 16:02:55 -0500 Subject: [PATCH 05/16] Update o365_exfiltration_via_file_access.yml --- detections/cloud/o365_exfiltration_via_file_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index 023bfd6968..af52f2e214 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -41,7 +41,7 @@ tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover - asset_type: Cloud + asset_type: O365 Tenant confidence: 50 impact: 40 message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$ From 2f99dd11212fe4b8cb6ea5274dfd58ce4ec75795 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 16:03:10 -0500 Subject: [PATCH 06/16] Update o365_exfiltration_via_file_download.yml --- detections/cloud/o365_exfiltration_via_file_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index c20775daf4..0bcffe5be7 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -39,7 +39,7 @@ tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover - asset_type: Cloud + asset_type: O365 Tenant confidence: 50 impact: 50 message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ From bef252afde383ed40b2d423ef1cf88e6c47501f5 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 16:03:29 -0500 Subject: [PATCH 07/16] Update o365_exfiltration_via_file_sync_download.yml --- detections/cloud/o365_exfiltration_via_file_sync_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index f02c5a3a93..82ceaf64de 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -40,7 +40,7 @@ tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover - asset_type: Cloud + asset_type: O365 Tenant confidence: 50 impact: 50 message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$ From 7a00c0567331c1613228975e85057381e7b2a7ab Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:45:35 -0500 Subject: [PATCH 08/16] Update o365_exfiltration_via_file_access.yml --- .../o365_exfiltration_via_file_access.yml | 31 ++++++------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index af52f2e214..d435a3bc99 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -37,38 +37,27 @@ drilldown_searches: search: '`o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$ + risk_objects: + - field: user + type: user + score: 20 + threat_objects: + - field: src + type: src tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover - asset_type: O365 Tenant - confidence: 50 - impact: 40 - message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$ + asset_type: O365 Tenant mitre_attack_id: - T1567 - T1530 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - UserId - - SourceFileExtension - - Workload - - SiteUrl - risk_score: 20 security_domain: threat tests: - name: True Positive Test From 38c3f574a749cd483d437e6a4db4048cd47f91b1 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:47:03 -0500 Subject: [PATCH 09/16] Update o365_exfiltration_via_file_download.yml --- .../o365_exfiltration_via_file_download.yml | 28 ++++++------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index 0bcffe5be7..4f738b2fa7 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -35,37 +35,27 @@ drilldown_searches: search: '`o365_management_activity` Operation IN ("filedownloaded") UserId="$UserId$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src + type: src tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 50 - impact: 50 - message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ mitre_attack_id: - T1567 - T1530 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - UserId - - Workload - - SiteUrl - risk_score: 25 security_domain: threat tests: - name: True Positive Test From a136609516b69eb0b39ca772345dfa64b01daa14 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:48:07 -0500 Subject: [PATCH 10/16] Update o365_exfiltration_via_file_sync_download.yml --- ...65_exfiltration_via_file_sync_download.yml | 29 ++++++------------- 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index 82ceaf64de..f061d4eb56 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -36,38 +36,27 @@ drilldown_searches: search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserId="$UserId$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src + type: src tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover asset_type: O365 Tenant - confidence: 50 - impact: 50 - message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$ mitre_attack_id: - T1567 - T1530 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Operation - - UserAgent - - Workload - - UserId - - SiteUrl - risk_score: 25 security_domain: threat tests: - name: True Positive Test From 842ee121151b58c5556bd95ebd3fcb17d6e696d3 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:50:31 -0500 Subject: [PATCH 11/16] Update o365_exfiltration_via_file_access.yml --- detections/cloud/o365_exfiltration_via_file_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index d435a3bc99..2b70c92c61 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -45,7 +45,7 @@ rba: score: 20 threat_objects: - field: src - type: src + type: ip_address tags: analytic_story: - Data Exfiltration From 0e8ac8a29dbfdb23658fb7463234dce9d1286325 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:50:45 -0500 Subject: [PATCH 12/16] Update o365_exfiltration_via_file_download.yml --- detections/cloud/o365_exfiltration_via_file_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index 4f738b2fa7..3a0a3b4a36 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -43,7 +43,7 @@ rba: score: 25 threat_objects: - field: src - type: src + type: ip_address tags: analytic_story: - Data Exfiltration From ae1b755f2ff14349566e90ab8774119667665984 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:51:10 -0500 Subject: [PATCH 13/16] Update o365_exfiltration_via_file_sync_download.yml --- detections/cloud/o365_exfiltration_via_file_sync_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index f061d4eb56..d5d8058148 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -44,7 +44,7 @@ rba: score: 25 threat_objects: - field: src - type: src + type: ip_address tags: analytic_story: - Data Exfiltration From 9de89087f343693901e22404fa5dd3eeb30cc50c Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 2 Feb 2025 12:30:38 -0500 Subject: [PATCH 14/16] Update o365_exfiltration_via_file_access.yml update search yaml for better readability / remove single quote in SPL issues --- .../o365_exfiltration_via_file_access.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index 2b70c92c61..7ad89f9c6f 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -8,16 +8,17 @@ type: Anomaly description: The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg) -| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") -| where NOT match(SiteUrl,user_flat) -| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl -| eventstats avg(count) as avg stdev(count) as stdev by Workload -| rename SiteUrl as file_path,Workload as app -| where count > 50 AND count > (avg + (3*(stdev))) -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_exfiltration_via_file_access_filter`' +search: |- + `o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg) + | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") + | where NOT match(SiteUrl,user_flat) + | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl + | eventstats avg(count) as avg stdev(count) as stdev by Workload + | rename SiteUrl as file_path,Workload as app + | where count > 50 AND count > (avg + (3*(stdev))) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_exfiltration_via_file_access_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed. references: From 84c1a4c5e273451a789b2fb19b95967606f3b2e1 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 2 Feb 2025 12:31:04 -0500 Subject: [PATCH 15/16] Update o365_exfiltration_via_file_download.yml update search yaml for better readability / remove single quote in SPL issues --- .../o365_exfiltration_via_file_download.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index 3a0a3b4a36..a4b504d0d8 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -8,14 +8,15 @@ type: Anomaly description: The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Operation IN ("filedownloaded") -| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") -| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl -| rename SiteUrl as file_path,Workload as app -| where count > 50 -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_exfiltration_via_file_download_filter`' +search: |- + `o365_management_activity` Operation IN ("filedownloaded") + | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") + | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl + | rename SiteUrl as file_path,Workload as app + | where count > 50 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_exfiltration_via_file_download_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: It is possible that certain file download scenarios may trigger this alert, specifically OneDrive syncing. Adjust threshold and filtering as needed. references: From 1ac26e3bc855b31b68e42b950c2236da203cf1b4 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 2 Feb 2025 12:31:31 -0500 Subject: [PATCH 16/16] Update o365_exfiltration_via_file_sync_download.yml update search yaml for better readability / remove single quote in SPL issues --- ...65_exfiltration_via_file_sync_download.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index d5d8058148..684ef625ec 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -8,15 +8,16 @@ type: Anomaly description: The following analytic detects when an excessive number of files are sync from o365 by the same user over a short period of time. A malicious actor abuse the user-agent string through GUI or API access to evade triggering the FileDownloaded event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*" -| eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") -| where NOT match(SiteUrl,user_flat) -| stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl -| rename SiteUrl as file_path,Workload as app -| where count > 50 -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_exfiltration_via_file_sync_download_filter`' +search: |- + `o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*" + | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") + | where NOT match(SiteUrl,user_flat) + | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl + | rename SiteUrl as file_path,Workload as app + | where count > 50 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_exfiltration_via_file_sync_download_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: It is possible that certain file sync scenarios may trigger this alert, specifically OneNote. Adjust threshold and filtering as needed. references: