Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)
In Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.(Citation: Office 365 Delegated Administration)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-03 | Access Enforcement | Protects | T1199 | Trusted Relationship | |
| AC-04 | Information Flow Enforcement | Protects | T1199 | Trusted Relationship | |
| AC-06 | Least Privilege | Protects | T1199 | Trusted Relationship | |
| AC-08 | System Use Notification | Protects | T1199 | Trusted Relationship | |
| CM-06 | Configuration Settings | Protects | T1199 | Trusted Relationship | |
| CM-07 | Least Functionality | Protects | T1199 | Trusted Relationship | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1199 | Trusted Relationship | |
| SC-07 | Boundary Protection | Protects | T1199 | Trusted Relationship | |
| ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1199 | Trusted Relationship |
Comments
The RBAC control can be used to implement the principle of least privilege to properly manage accounts and permissions of parties in trusted relationships. This scores Partial for its ability to minimize the the potential abuse by the party and if it is comprised by an adversary.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| DO365-AG-E5 | App Governance | Technique Scores | T1199 | Trusted Relationship |
Comments
App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization
App Governance Detects Trusted Relationship attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.
License Requirements:
Microsoft Defender for Cloud Apps
References
|
| DO365-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1199 | Trusted Relationship |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Trusted Relationship attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for newly constructed logon behavior.
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|