Account Manipulation: Add Office 365 Global Administrator Role

An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.[1][2] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.[2]

This account modification may immediately follow Create Account or other malicious account activity.

ID: T1098.003
Sub-technique of:  T1098
Tactic: Persistence
Platforms: Office 365
Permissions Required: Administrator
Data Sources: Office 365 audit logs
Contributors: Microsoft Threat Intelligence Center (MSTIC)
Version: 1.0
Created: 19 January 2020
Last Modified: 24 March 2020

Mitigations

Mitigation Description
Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.

Privileged Account Management

Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.

References