Loading

M365 SharePoint Site Administrator Added

Identifies when a new SharePoint Site Administrator is added in Microsoft 365. Site Administrators have full control over SharePoint Sites, including the ability to manage permissions, access all content, and modify site settings. Adversaries who compromise a privileged account may add themselves or a controlled account as a Site Administrator to maintain persistent, high-privilege access to sensitive SharePoint data. This technique was notably observed in the 0mega ransomware campaign, where attackers elevated privileges to exfiltrate data and deploy ransom notes across SharePoint sites.

Rule type: query
Rule indices:

  • filebeat-*
  • logs-o365.audit-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Domain: SaaS
  • Domain: Identity
  • Data Source: Microsoft 365
  • Data Source: Microsoft 365 Audit Logs
  • Use Case: Identity and Access Audit
  • Tactic: Privilege Escalation
  • Tactic: Persistence
  • Resources: Investigation Guide

Version: 1
Rule authors:

  • Elastic
  • Austin Songer

Rule license: Elastic License v2

Site Administrators in SharePoint Online have full control over a Site, including the ability to manage permissions, access all content, and configure site-level settings. Adversaries who gain access to a privileged account may assign Site Administrator rights to maintain persistent access or facilitate data exfiltration. The SiteCollectionAdminAdded audit event is logged when this privilege is granted.

  • Review the user.id field to determine who performed the action. Assess whether this user normally manages SharePoint site permissions.
  • Examine the o365.audit.ModifiedProperties.SiteAdmin.NewValue field to identify the account that was granted Site Administrator privileges.
  • Check the o365.audit.SiteUrl or url.original to determine which Site was targeted. Assess the sensitivity of the data stored in this site.
  • Review the o365.audit.TargetUserOrGroupName and o365.audit.TargetUserOrGroupType fields for additional context on the target principal.
  • Pivot to sign-in logs for the acting account to look for anomalies such as logins from unfamiliar locations, devices, or IP ranges.
  • Investigate whether the newly added admin account has performed subsequent actions such as file downloads, permission changes, or sharing link creation.
  • Check for other recent SiteCollectionAdminAdded events to determine if multiple Sites were targeted in a short time frame, which may indicate bulk privilege escalation.
  • Routine SharePoint administration tasks by IT teams may trigger this alert. Correlate with change management tickets or scheduled maintenance windows.
  • Automated provisioning tools that assign Site admin roles during site creation or migration workflows may generate expected alerts.
  • Organizational changes such as team transitions or restructuring may involve legitimate Site admin reassignments.
  • If the admin addition is unauthorized, immediately remove the Site Administrator role from the suspicious account.
  • Reset credentials for both the account that performed the action and the account that was added, especially if compromise is suspected.
  • Review recent activity on the affected Site for signs of data exfiltration, permission changes, or content modifications.
  • Enable or verify enforcement of MFA for all accounts with SharePoint administrative privileges.
  • Audit the list of Site Administrators across all Sites to identify any other unauthorized additions.
  • Consider implementing Privileged Access Management (PAM) or Privileged Identity Management (PIM) to require just-in-time elevation for SharePoint admin roles.
event.dataset:o365.audit
    and event.provider:(SharePoint or OneDrive)
    and event.category:web
    and event.action:SiteCollectionAdminAdded
    and event.outcome:success

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK