Detecting Malicious Guest Accounts and Remote Monitoring Tool (RMM) Deployments in Microsoft Teams with Sigma
Introduction
Microsoft Teams is becoming more and more important for businesses to communicate, but it’s also becoming a target for hackers. They’re using sneaky tricks like fake guest accounts and special tools to get into people’s computers and spread malware. To stop these attacks, we’ve created a special rule in Teams that can spot suspicious guest accounts and URLs that are related to remote monitoring and management tools.
In this post, we’ll dive into the Sigma rule’s logic, show you how to put it into action, and even give you a sample query in Elastic’s Kibana Query Language (KQL) that you can use right away. We’ll also talk about how to convert the rule for use in other security platforms using Uncoder.io.
The Challenge: Detecting Malicious Teams Messages
Attackers use fake Microsoft Teams guest accounts with domains such as *@*onmicrosoft.com to impersonate legitimate users, which can be hard to detect. They often share links to executable files or RMM tools, knowing that users may trust messages coming from a familiar platform like Teams.
These malicious messages can:
- Compromise user credentials or deploy malware if the links are clicked.
- Allow unauthorized access to sensitive systems via RMM tools.
- Evade detection by blending in with normal Teams communication.
To address these threats, our Sigma rule is designed to detect potential malicious guest accounts and RMM tool deployments.
Sigma Rule Overview
Our rule, titled Potential Malicious Guest Accounts and RMM Tool Deployment via Teams, is built to detect specific indicators of suspicious activity. Below is the Sigma rule, along with a breakdown of how it detects and flags potentially harmful messages.
title: Potential Malicious Guest Accounts and RMM Tool Deployment via Teams
id: aed9c24f-097a-4505-af85-74b4b83982b0
status: experimental
description: Detects potential malicious guest accounts using onmicrosoft.com and deployment of RMM tools via Teams messages.
references:
- https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/
- https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/
author: Saiprashanth Pulisetti ( @pulisettis )
date: 2024-11-01
tags:
- attack.initial-access
- attack.t1078
- attack.execution
- attack.persistence
- attack.t1133
- attack.defense-evasion
- attack.t1070
- attack.collection
- attack.t1114
logsource:
product: m365
service: audit
detection:
selection_domain:
user.email: '*@*.onmicrosoft.com'
selection_extensions:
MessageURLs|endswith:
- .exe
- .msi
- .js
selection_rmm:
MessageURLs|contains:
- ninjaone.com
- atera.com
- syncroweb.com
- superops.com
- n-able.com
- gotoremember.com
- barracudamsp.com
- manageengine.com
- site24x7.com
- paessler.com
- compuware.com
- teamviewer.com
- rippling.com
- msp360.com
- pulseway.com
- optimtune.com
- connectwise.com
- domotz.com
- anydesk.com
condition: selection_domain and (selection_extensions or selection_rmm)
falsepositives:
- Legitimate guest users
- Valid RMM tool deployments
level: high
Explanation of Key Rule Elements
- Guest Accounts with onmicrosoft.com Domains: The rule identifies external guest accounts with emails ending in
@*.onmicrosoft.com, which are commonly used by attackers to impersonate legitimate entities. - Executable Links: The rule flags messages containing URLs that end in
.exe,.msi, or.jsto capture common executable file types often used in phishing attacks. - RMM Tool URLs: Known RMM-related domains (e.g.,
ninjaone.com,atera.com, andteamviewer.com) are included, as attackers sometimes deploy RMM tools to gain persistent access to compromised systems.
How It Works
This Sigma rule triggers an alert if it detects both:
- A guest account with an
onmicrosoft.comdomain. - A message containing a link to an executable file or an RMM tool.
Security analysts can use this rule to spot unusual Teams activity early and prevent potential threats from progressing.
Sample Raw Log
Here’s an example of what a potentially suspicious log entry might look like:
CreationTime: 2024-10-29T14:33:49
UserId: jane.doe@example.com
UserType: 0
UserKey: abcdef12-3456-7890-abcd-ef1234567890
MessageId: ZYXWVUTSRQPONMLK
MessageVersion: M12345678
CommunicationType: OneOnOne
ChatThreadId: 19:abcdef12-3456-7890-abcd-ef1234567890_09876543-2109-8765-4321-56789abcdef0@unq.gbl.spaces
ResourceTenantId: 09876543-2109-8765-4321-56789abcdef0
UserTenantId: abcdef12-3456-7890-abcd-ef1234567890
ParticipantInfo:
- HasOtherGuestUsers: false
- ParticipatingSIPDomains:
- TenantId: 09876543-2109-8765-4321-56789abcdef0
DomainName: exampletenant.onmicrosoft.com
- TenantId: 11223344-5566-7788-99aa-bbccddeeff00
DomainName: fictitiouscorp.com
- HasForeignTenantUsers: true
- ParticipatingTenantIds: [09876543-2109-8765-4321-56789abcdef0, 11223344-5566-7788-99aa-bbccddeeff00]
- HasGuestUsers: false
- HasUnauthenticatedUsers: false
- ParticipatingDomains: [fictitiouscorp.com, exampletenant.onmicrosoft.com]
MessageURLs: [https://malicious-link.com/download_malware.exe]
ExtraProperties:
- TimeZone: Europe/London
- OsName: Android
- OsVersion: 13
- Country: GB
- ClientName: microsoftteams
- ClientVersion: 1416/1.0.0.2024183604
- ClientUtcOffsetSeconds: 3600
Extending the Rule: Elastic KQL (Kibana Query Language) Query
For security teams using Elastic, here’s the KQL query equivalent of the Sigma rule, allowing the same detection logic within Kibana:
user.email:*@*.onmicrosoft.com and
(o365.audit.MessageURLs:(*.exe or *.msi or *.js) or
o365.audit.MessageURLs:(*ninjaone.com* or *atera.com* or *syncroweb.com* or *superops.com* or *n-able.com* or *gotoremember.com* or *barracudamsp.com* or *manageengine.com* or *site24x7.com* or *paessler.com* or *compuware.com* or *teamviewer.com* or *rippling.com* or *msp360.com* or *pulseway.com* or *optimtune.com* or *connectwise.com* or *domotz.com* or *anydesk.com*))
Cross-Platform Adaptability: Converting the Sigma Rule for Other Tools
With Uncoder.io, you can convert this Sigma rule for use in other tools, such as:
- Splunk SPL: To implement the rule within Splunk environments.
- Microsoft Sentinel KQL: For Microsoft Sentinel deployments.
- XDR-Specific Formats: Easily adaptable for XDR tools like SentinelOne, allowing defenders to standardize detection across platforms.
This flexibility is invaluable for organizations that use a multi-tool security stack, ensuring consistent detection and response across all platforms.
Recommended Response Steps
If this rule triggers, SOC teams should:
- Investigate the User Account: Verify the guest account with an
onmicrosoft.comdomain to determine its legitimacy. - Analyze URLs: Evaluate the linked URLs, checking if they belong to legitimate RMM tools or potentially malicious executables.
- Take Preventative Actions: If malicious activity is confirmed, disable the guest account, block the malicious domains, and notify the affected users.
Conclusion
In today’s digital world, spotting suspicious Teams messages and guest accounts is super important. By using this Sigma rule and making it work for different security platforms, SOC teams can stay ahead of threats that use Teams to attack. And with tools like Uncoder.io, you can easily move the rule around and make sure you’re always protected, no matter where you are.
This Sigma rule is a super important step in keeping Teams safe from sneaky hackers and malware. It’s like a shield that protects our company’s defenses against these tricky social engineering attacks.