- Home
- Techniques
- Enterprise
- Account Manipulation
- Add Office 365 Global Administrator Role
Account Manipulation: Add Office 365 Global Administrator Role
Other sub-techniques of Account Manipulation (4)
ID | Name |
---|---|
T1098.001 | Additional Cloud Credentials |
T1098.002 | Exchange Email Delegate Permissions |
T1098.003 | Add Office 365 Global Administrator Role |
T1098.004 | SSH Authorized Keys |
An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.[1][2] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.[2]
This account modification may immediately follow Create Account or other malicious account activity.
Mitigations
Mitigation | Description |
---|---|
Multi-factor Authentication |
Use multi-factor authentication for user and privileged accounts. |
Privileged Account Management |
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
Detection
Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.