Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nterl0k - T1114 Suspect 0365 Email Actions #3292

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from

Conversation

nterl0k
Copy link
Contributor

@nterl0k nterl0k commented Jan 23, 2025

Details

This is a set of detections aimed at elevating suspicious email behavior. Actors often use "hard delete" during mailbox compromise scenarios to evade detection/remove evidence, these detections look for behaviors related to this tactic.

  • O365 Email Hard Delete Excessive Volume - Rule
    • The following analytic identifies when an O365 email account hard deletes an excessive number of emails within a short period (within 1 hour).
  • O365 Email Password and Payroll Compromise Behavior - Rule
    • The following analytic identifies when an O365 email recipient receives and then deletes emails for the combination of both password and banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account.
  • O365 Email Receive and Hard Delete Takeover Behavior - Rule
    • The following analytic identifies when an O365 email recipient receives and then deletes emails related to password or banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account.
  • O365 Email Send and Hard Delete Exfiltration Behavior - Rule
    • The following analytic identifies when an O365 email account sends and then hard deletes an email to an external recipient within a short period (within 1 hour).
  • O365 Email Send and Hard Delete Suspicious Behavior - Rule
    • The following analytic identifies when an O365 email account sends and then hard deletes email with within a short period (within 1 hour).
  • O365 Email Send Attachments Excessive Volume - Rule
    • The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour).
  • O365 Email New Inbox Rule Created - Rule
    • (This has overlap with existing O365 forwarding rules)
    • The following analytic identifies the creation of new email inbox rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters that may indicate mail forwarding, removal, or obfuscation.

Pending splunk/attack_data#954

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.
  • Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

  • If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
  • Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
  • Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the datestamp in the lookup CSV filename, and the reference to it in the YAML needs to be updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant