T1098.003 Add Office 365 Global Administrator Role Mappings

An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles)

This account modification may immediately follow Create Account or other malicious account activity.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1098.003 Add Office 365 Global Administrator Role
AC-20 Use of External Systems Protects T1098.003 Add Office 365 Global Administrator Role
AC-3 Access Enforcement Protects T1098.003 Add Office 365 Global Administrator Role
AC-5 Separation of Duties Protects T1098.003 Add Office 365 Global Administrator Role
AC-6 Least Privilege Protects T1098.003 Add Office 365 Global Administrator Role
CM-5 Access Restrictions for Change Protects T1098.003 Add Office 365 Global Administrator Role
CM-6 Configuration Settings Protects T1098.003 Add Office 365 Global Administrator Role
IA-2 Identification and Authentication (organizational Users) Protects T1098.003 Add Office 365 Global Administrator Role
IA-5 Authenticator Management Protects T1098.003 Add Office 365 Global Administrator Role
SI-4 System Monitoring Protects T1098.003 Add Office 365 Global Administrator Role
SI-7 Software, Firmware, and Information Integrity Protects T1098.003 Add Office 365 Global Administrator Role
role_based_access_control Role Based Access Control technique_scores T1098.003 Add Office 365 Global Administrator Role
azure_ad_privileged_identity_management Azure AD Privileged Identity Management technique_scores T1098.003 Add Office 365 Global Administrator Role
azure_ad_privileged_identity_management Azure AD Privileged Identity Management technique_scores T1098.003 Add Office 365 Global Administrator Role
cloud_app_security_policies Cloud App Security Policies technique_scores T1098.003 Add Office 365 Global Administrator Role