From e23ed50fc60b805655ee977128cad2dfea6e815f Mon Sep 17 00:00:00 2001 From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com> Date: Fri, 14 Feb 2025 19:53:37 +0000 Subject: [PATCH 1/7] O365 Suspicious Mailbox Rule Created --- .../o365_suspicious_mailbox_rule_created.yml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 detections/cloud/o365_suspicious_mailbox_rule_created.yml diff --git a/detections/cloud/o365_suspicious_mailbox_rule_created.yml b/detections/cloud/o365_suspicious_mailbox_rule_created.yml new file mode 100644 index 0000000000..83f3c63bce --- /dev/null +++ b/detections/cloud/o365_suspicious_mailbox_rule_created.yml @@ -0,0 +1,57 @@ +name: O365 Suspicious Mailbox Rule Created +id: 603ebac2-f157-4df7-a6ac-34e8d0350f86 +version: 1 +date: '2025-02-14' +author: 0xC0FFEEEE +type: TTP +status: production +enabled_by_default: true +description: This analytic detects suspicious mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. + This may indicate that an attacker has gained access to the account. +search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | rename Parameters{}.* + as * | eval temp=mvzip(Name,Value, "") | fields - Name Value | mvexpand temp + | eval temp_name=mvindex(split(temp,""),0), temp_value=mvindex(split(temp,""),1) + | eval {temp_name}=temp_value | stats values(Name) as Name, values(MarkAsRead) as + MarkAsRead, values(MoveToFolder) as MoveToFolder by _time Id user | lookup ut_shannon_lookup word as Name + | eval entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1, + 0) | eval read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder, + "^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score + | where suspicious_score>2 | `o365_suspicious_mailbox_rule_created_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest + Office 365 management activity events. +known_false_positives: Short rule names may trigger false positives. Adjust + the entropy and length thresholds as needed. +references: +- https://attack.mitre.org/techniques/T1564/008/ +drilldown_searches: +- name: View the detection results + search: '%original_detection_search%' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for $user$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A suspicious mailbox rule was created by $user$ + risk_objects: + - field: user + type: user + score: 25 +tags: + analytic_story: + - Office 365 Account Takeover + asset_type: O365 Tenant + mitre_attack_id: + - T1564.008 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log + sourcetype: o365:management:activity + source: o365 From b4783e0319c7c35244fb40cf1d4b4d40cec44fec Mon Sep 17 00:00:00 2001 From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com> Date: Wed, 19 Feb 2025 07:52:12 +0000 Subject: [PATCH 2/7] remove enabled_by_default --- detections/cloud/o365_suspicious_mailbox_rule_created.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/cloud/o365_suspicious_mailbox_rule_created.yml b/detections/cloud/o365_suspicious_mailbox_rule_created.yml index 83f3c63bce..ce6873bcf0 100644 --- a/detections/cloud/o365_suspicious_mailbox_rule_created.yml +++ b/detections/cloud/o365_suspicious_mailbox_rule_created.yml @@ -5,7 +5,6 @@ date: '2025-02-14' author: 0xC0FFEEEE type: TTP status: production -enabled_by_default: true description: This analytic detects suspicious mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. This may indicate that an attacker has gained access to the account. search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | rename Parameters{}.* From f9c28ccdb334d9d9c92a422e1037f0386703d3e6 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 19 Feb 2025 12:33:51 -0800 Subject: [PATCH 3/7] minor changes to ensure CI testing works --- detections/cloud/o365_suspicious_mailbox_rule_created.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/cloud/o365_suspicious_mailbox_rule_created.yml b/detections/cloud/o365_suspicious_mailbox_rule_created.yml index ce6873bcf0..6168775f9f 100644 --- a/detections/cloud/o365_suspicious_mailbox_rule_created.yml +++ b/detections/cloud/o365_suspicious_mailbox_rule_created.yml @@ -2,7 +2,7 @@ name: O365 Suspicious Mailbox Rule Created id: 603ebac2-f157-4df7-a6ac-34e8d0350f86 version: 1 date: '2025-02-14' -author: 0xC0FFEEEE +author: '0xC0FFEEEE, Github Community' type: TTP status: production description: This analytic detects suspicious mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. @@ -37,6 +37,7 @@ rba: - field: user type: user score: 25 + threat_objects: [] tags: analytic_story: - Office 365 Account Takeover From 7e9f15047457077150e6ef7dcbc9abe90c0e185d Mon Sep 17 00:00:00 2001 From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com> Date: Wed, 19 Feb 2025 22:17:11 +0000 Subject: [PATCH 4/7] add url toolbox requirement --- detections/cloud/o365_suspicious_mailbox_rule_created.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/cloud/o365_suspicious_mailbox_rule_created.yml b/detections/cloud/o365_suspicious_mailbox_rule_created.yml index 6168775f9f..925030c0b1 100644 --- a/detections/cloud/o365_suspicious_mailbox_rule_created.yml +++ b/detections/cloud/o365_suspicious_mailbox_rule_created.yml @@ -17,7 +17,8 @@ search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" "^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score | where suspicious_score>2 | `o365_suspicious_mailbox_rule_created_filter`' how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest - Office 365 management activity events. + Office 365 management activity events. You also need to have the Splunk TA URL + Toolbox (https://splunkbase.splunk.com/app/2734/) installed. known_false_positives: Short rule names may trigger false positives. Adjust the entropy and length thresholds as needed. references: From 10d1435990c162c230cac85bbca110ec6a0ac6d5 Mon Sep 17 00:00:00 2001 From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com> Date: Tue, 25 Feb 2025 22:04:49 +0000 Subject: [PATCH 5/7] Update detection name --- ...created.yml => o365_bec_email_hiding_rule_created.yml} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename detections/cloud/{o365_suspicious_mailbox_rule_created.yml => o365_bec_email_hiding_rule_created.yml} (86%) diff --git a/detections/cloud/o365_suspicious_mailbox_rule_created.yml b/detections/cloud/o365_bec_email_hiding_rule_created.yml similarity index 86% rename from detections/cloud/o365_suspicious_mailbox_rule_created.yml rename to detections/cloud/o365_bec_email_hiding_rule_created.yml index 925030c0b1..54dffb8b87 100644 --- a/detections/cloud/o365_suspicious_mailbox_rule_created.yml +++ b/detections/cloud/o365_bec_email_hiding_rule_created.yml @@ -1,11 +1,11 @@ -name: O365 Suspicious Mailbox Rule Created +name: O365 BEC Email Hiding Rule Created id: 603ebac2-f157-4df7-a6ac-34e8d0350f86 version: 1 date: '2025-02-14' author: '0xC0FFEEEE, Github Community' type: TTP status: production -description: This analytic detects suspicious mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. +description: This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. This may indicate that an attacker has gained access to the account. search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | rename Parameters{}.* as * | eval temp=mvzip(Name,Value, "") | fields - Name Value | mvexpand temp @@ -15,7 +15,7 @@ search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | eval entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1, 0) | eval read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder, "^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score - | where suspicious_score>2 | `o365_suspicious_mailbox_rule_created_filter`' + | where suspicious_score>2 | `o365_bec_email_hiding_rule_created_filter`' how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You also need to have the Splunk TA URL Toolbox (https://splunkbase.splunk.com/app/2734/) installed. @@ -33,7 +33,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A suspicious mailbox rule was created by $user$ + message: Potential BEC mailbox rule was created by $user$ risk_objects: - field: user type: user From 9d23cc4bf0189f0130da335e2d4ead6d14899659 Mon Sep 17 00:00:00 2001 From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com> Date: Thu, 27 Feb 2025 07:35:08 +0000 Subject: [PATCH 6/7] simplify SPL & add threat object --- .../cloud/o365_bec_email_hiding_rule_created.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/cloud/o365_bec_email_hiding_rule_created.yml b/detections/cloud/o365_bec_email_hiding_rule_created.yml index 54dffb8b87..fdd0710400 100644 --- a/detections/cloud/o365_bec_email_hiding_rule_created.yml +++ b/detections/cloud/o365_bec_email_hiding_rule_created.yml @@ -7,13 +7,11 @@ type: TTP status: production description: This analytic detects mailbox rule creation, a common technique used in Business Email Compromise. It uses a scoring mechanism to identify a combination of attributes often featured in mailbox rules created by attackers. This may indicate that an attacker has gained access to the account. -search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | rename Parameters{}.* - as * | eval temp=mvzip(Name,Value, "") | fields - Name Value | mvexpand temp - | eval temp_name=mvindex(split(temp,""),0), temp_value=mvindex(split(temp,""),1) - | eval {temp_name}=temp_value | stats values(Name) as Name, values(MarkAsRead) as - MarkAsRead, values(MoveToFolder) as MoveToFolder by _time Id user | lookup ut_shannon_lookup word as Name - | eval entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1, - 0) | eval read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder, +search: '`o365_management_activity` Workload=Exchange Operation="New-InboxRule" | + stats values(Name) as Name, values(MarkAsRead) as MarkAsRead, values(MoveToFolder) + as MoveToFolder by _time Id user | lookup ut_shannon_lookup word as Name | eval + entropy_score=if(ut_shannon<=2, 1, 0) | eval len_score=if(len(Name)<=3, 1,0) | eval + read_score=if(MarkAsRead="True", 1, 0) | eval folder_score=if(match(MoveToFolder, "^(RSS|Conversation History|Archive)"), 1, 0) | eval suspicious_score=entropy_score+len_score+read_score+folder_score | where suspicious_score>2 | `o365_bec_email_hiding_rule_created_filter`' how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest @@ -38,7 +36,9 @@ rba: - field: user type: user score: 25 - threat_objects: [] + threat_objects: + - field: Name + type: signature tags: analytic_story: - Office 365 Account Takeover From d5feba1042182ad2a34a6c4a91ad19a834f1a9fb Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 11 Mar 2025 13:22:04 -0700 Subject: [PATCH 7/7] drilldown update- minor --- detections/cloud/o365_bec_email_hiding_rule_created.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/cloud/o365_bec_email_hiding_rule_created.yml b/detections/cloud/o365_bec_email_hiding_rule_created.yml index fdd0710400..51e7cd1c9a 100644 --- a/detections/cloud/o365_bec_email_hiding_rule_created.yml +++ b/detections/cloud/o365_bec_email_hiding_rule_created.yml @@ -22,8 +22,8 @@ known_false_positives: Short rule names may trigger false positives. Adjust references: - https://attack.mitre.org/techniques/T1564/008/ drilldown_searches: -- name: View the detection results - search: '%original_detection_search%' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search dest = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for $user$