Account Manipulation: Add Office 365 Global Administrator Role

An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.[1][2] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.[2]

This account modification may immediately follow Create Account or other malicious account activity.

ID: T1098.003
Sub-technique of:  T1098
Tactic: Persistence
Platforms: Office 365
Permissions Required: Administrator
Contributors: Microsoft Threat Intelligence Center (MSTIC)
Version: 1.0
Created: 19 January 2020
Last Modified: 24 March 2020
Provided by LAYER 8

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.

M1026 Privileged Account Management

Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

ID Data Source Data Component
DS0002 User Account User Account Modification

Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.

References