Techniques
Sample rules
M365 SharePoint Site Administrator Added
- source: elastic
- technicques:
- T1098
Description
Identifies when a new SharePoint Site Administrator is added in Microsoft 365. Site Administrators have full control over SharePoint Sites, including the ability to manage permissions, access all content, and modify site settings. Adversaries who compromise a privileged account may add themselves or a controlled account as a Site Administrator to maintain persistent, high-privilege access to sensitive SharePoint data. This technique was notably observed in the 0mega ransomware campaign, where attackers elevated privileges to exfiltrate data and deploy ransom notes across SharePoint sites.
Detection logic
event.dataset:o365.audit
and event.provider:(SharePoint or OneDrive)
and event.category:web
and event.action:SiteCollectionAdminAdded
and event.outcome:success