2020-12-20 22:21:21 +03:00
|
|
|
id: 271e8881-3044-4332-a5f4-42264c2e0315
|
2020-12-23 00:47:27 +03:00
|
|
|
name: Anomalous access to other user's mailboxes
|
2020-12-20 22:21:21 +03:00
|
|
|
description: |
|
2020-12-22 22:06:20 +03:00
|
|
|
'Looks for users accessing multiple other user's mailboxes or accessing multiple folders in another users mailbox'
|
2020-12-20 22:21:21 +03:00
|
|
|
requiredDataConnectors:
|
|
|
|
|
- connectorId: Office365
|
|
|
|
|
dataTypes:
|
|
|
|
|
- OfficeActivity
|
|
|
|
|
tactics:
|
|
|
|
|
- Collection
|
|
|
|
|
relevantTechniques:
|
|
|
|
|
- T1114.002
|
2021-01-16 04:26:22 +03:00
|
|
|
tags:
|
|
|
|
|
- Solorigate
|
2021-03-04 21:54:36 +03:00
|
|
|
- NOBELIUM
|
2020-12-20 22:21:21 +03:00
|
|
|
query: |
|
|
|
|
|
|
2021-08-05 01:49:57 +03:00
|
|
|
let starttime = todatetime('{{StartTimeISO}}');
|
|
|
|
|
let endtime = todatetime('{{EndTimeISO}}');
|
|
|
|
|
let lookback = totimespan((endtime-starttime)*2);
|
2020-12-22 22:06:20 +03:00
|
|
|
//Adjust this value to alter how many mailbox (other than their own) a user needs to access before being included in results
|
2020-12-20 22:21:21 +03:00
|
|
|
let user_threshold = 1;
|
2020-12-22 22:06:20 +03:00
|
|
|
//Adjust this value to alter how many mailbox folders in other's email accounts a users needs to access before being included in results.
|
2020-12-20 22:21:21 +03:00
|
|
|
let folder_threshold = 5;
|
2020-12-22 22:06:20 +03:00
|
|
|
//Exclude historical as known good (set lookback and timeframe to same value to skip this)
|
|
|
|
|
OfficeActivity
|
2021-08-05 01:49:57 +03:00
|
|
|
| where TimeGenerated between(ago(lookback)..starttime)
|
2020-12-22 22:06:20 +03:00
|
|
|
| where Operation =~ "MailItemsAccessed"
|
|
|
|
|
| where ResultStatus =~ "Succeeded"
|
|
|
|
|
| where tolower(MailboxOwnerUPN) != tolower(UserId)
|
|
|
|
|
| join kind=rightanti(
|
2020-12-20 22:21:21 +03:00
|
|
|
OfficeActivity
|
2021-08-05 01:49:57 +03:00
|
|
|
| where TimeGenerated between(starttime..endtime)
|
2020-12-22 22:06:20 +03:00
|
|
|
| where Operation =~ "MailItemsAccessed"
|
2020-12-20 22:21:21 +03:00
|
|
|
| where ResultStatus =~ "Succeeded"
|
2020-12-22 22:06:20 +03:00
|
|
|
| where tolower(MailboxOwnerUPN) != tolower(UserId)) on MailboxOwnerUPN, UserId
|
|
|
|
|
| where isnotempty(Folders)
|
2020-12-20 22:21:21 +03:00
|
|
|
| mv-expand parse_json(Folders)
|
|
|
|
|
| extend folders = tostring(Folders.Path)
|
|
|
|
|
| extend ClientIP = iif(Client_IPAddress startswith "[", extract("\\[([^\\]]*)", 1, Client_IPAddress), Client_IPAddress)
|
2021-02-19 21:08:52 +03:00
|
|
|
| summarize StartTime=max(TimeGenerated), EndTime=min(TimeGenerated), make_set(folders), make_set(ClientInfoString), make_set(ClientIP), make_set(MailboxGuid), make_set(MailboxOwnerUPN) by UserId
|
2020-12-20 22:21:21 +03:00
|
|
|
| extend folder_count = array_length(set_folders)
|
|
|
|
|
| extend user_count = array_length(set_MailboxGuid)
|
|
|
|
|
| where user_count > user_threshold or folder_count > folder_threshold
|
2020-12-22 22:06:20 +03:00
|
|
|
| extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded", folder_count > folder_threshold and user_count < user_threshold, "Folder Count Threshold Exceeded","User Threshold Exceeded")
|
2020-12-20 22:21:21 +03:00
|
|
|
| sort by user_count desc
|
2021-02-19 21:08:52 +03:00
|
|
|
| project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders
|
|
|
|
|
| extend timestamp = StartTime, AccountCustomEntity = UserId
|
|
|
|
|
entityMappings:
|
|
|
|
|
- entityType: Account
|
|
|
|
|
fieldMappings:
|
|
|
|
|
- identifier: FullName
|
|
|
|
|
columnName: AccountCustomEntity
|
