LoFP / administrator may legitimately invite external guest users. filter as needed.

Techniques

• T1136.003

Sample rules

O365 External Guest User Invited

• source: splunk
• technicques:
  • T1136.003

Description

The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall Backdooring and Hijacking Azure AD Accounts by Abusing External Identities. This detection leverages the Universal Audit Log (UAL)/o365:management:activity sourcetype as a detection data source.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory AND Operation="Add user*" AND ModifiedProperties{}.NewValue="[*Guest*]" AND ModifiedProperties{}.NewValue="[*Invitation*]" 
| eval user = (mvindex('ModifiedProperties{}.NewValue',5)), src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)) 
| rex field=user "(?<user>[\\w\\.-]+@[\\w-]+\\.[\\w-]{2,4})" 
| stats values(user) as user, min(_time) as firstTime, max(_time) as lastTime, count by Operation,Id,src_user 
| rename Operation as signature, Id as signature_id 
| `security_content_ctime(firstTime)`  
| `security_content_ctime(lastTime)` 
| `o365_external_guest_user_invited_filter`

Azure AD External Guest User Invited

• source: splunk
• technicques:
  • T1136.003

Description

The following analytic detects the invitation of an external guest user within Azure AD. It leverages Azure AD AuditLogs to identify events where an external user is invited, using fields such as operationName and initiatedBy. Monitoring these invitations is crucial as they can lead to unauthorized access if abused. If confirmed malicious, this activity could allow attackers to gain access to internal resources, potentially leading to data breaches or further exploitation of the environment.

Detection logic

`azure_monitor_aad` operationName="Invite external user" 
| rename properties.*  as * 
| rename initiatedBy.user.userPrincipalName as initiatedBy 
| rename targetResources{}.type as type 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_external_guest_user_invited_filter`