Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation #3775

Open
willemri opened this issue Jun 11, 2024 · 2 comments
Open

[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation #3775

willemri opened this issue Jun 11, 2024 · 2 comments
Assignees
@terrancedejesus
Labels
backlog community Rule: Tuning tweaking or tuning an existing rule

Comments

@willemri
Copy link

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
https://www.elastic.co/guide/en/security/8.14/prebuilt-rule-0-14-2-o365-exchange-suspicious-mailbox-right-delegation.html

Description

2 issues:

  1. The rule query on the elastic.co site is not the same as the one on github
  2. I'm not sure if this is by design by microsoft; or a typo in the rule. The part with exclusion in the user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Should actually be: "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
    My suggestion would change the query to:
    event.dataset:o365.audit AND event.provider:Exchange AND event.action:Add-MailboxPermission AND
    o365.audit.Parameters.AccessRights:(FullAccess OR SendAs OR SendOnBehalf) AND event.outcome:success AND NOT user.id: ("NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" OR "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)")

Example Data

  -- {OrganizationName=gentplus.onmicrosoft.com, Parameters=[{Value=, Name=DomainController}, {Value=EURPR02A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/gentplus.onmicrosoft.com/DiscoverySearchMailbox{Dxxxxxxx-46A6-415f-80AD-xxxxxxxxx}, Name=Identity}, {Value=EURPR02A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/gentplus.onmicrosoft.com/Discovery Management, Name=User}, {Value=FullAccess, Name=AccessRights}], RequestId=xxxxxxxx-93af-470a-d21d-xxxxxxxx, ResultStatus=True, ObjectId=EURPR02A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/gentplus.onmicrosoft.com/DiscoverySearchMailbox{Dxxxxxxx-46A6-415f-80AD-xxxxxxxxx}, UserKey=NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost), ExternalAccess=true, Operation=Add-MailboxPermission, OrganizationId=xxxxxxx-1ebf-4335-ad13-xxxxxxxxxxx, AppAccessContext={UniqueTokenId=}, Workload=Exchange, OriginatingServer=VI1PR0402MB3566 (15.20.7633.033), AppId=, RecordType=1, Version=1, UserId=NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost), ClientAppId=, CreationTime=2024-06-07T14:28:01, CorrelationID=, Id=xxxxxxxx-93af-470a-d21d-xxxxxxxx, UserType=3, AppPoolName=MSExchangeServiceHost}  


@willemri willemri added the Rule: Tuning tweaking or tuning an existing rule label Jun 11, 2024
@willem-dhaese
Copy link

Related to #3702

@w0rk3r w0rk3r self-assigned this Jun 12, 2024
@w0rk3r w0rk3r assigned terrancedejesus and unassigned w0rk3r Jul 31, 2024
@janniten
Copy link
Contributor

janniten commented Aug 5, 2024

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@terrancedejesus terrancedejesus

Labels
backlog community Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Mikaayenson @w0rk3r @janniten @terrancedejesus @willem-dhaese @willemri