检测和修正非法同意授予Detect and Remediate Illicit Consent Grants

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用对象Applies to

摘要 了解如何识别和修正 Office 365 中的非法许可授予攻击。Summary Learn how to recognize and remediate the illicit consent grants attack in Office 365.

在非法许可授予攻击中,攻击者创建 Azure 注册的应用程序,请求访问联系人信息、电子邮件或文档等数据。In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. 攻击者随后会通过网络钓鱼攻击或将非法代码注入受信任的网站,来欺骗最终用户授予该应用程序访问其数据的同意。The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. 在非法应用程序获得同意后,它无需组织帐户即可对数据进行帐户级访问。After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. 正常修正步骤(如重置泄露帐户的密码或要求帐户使用多重身份验证 (MFA) )无法抵御此类攻击,因为此类攻击是第三方应用程序且位于组织外部。Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.

这些攻击利用一个交互模型,该模型认为调用信息的实体是自动化的,而不是人为的。These attacks leverage an interaction model which presumes the entity that is calling the information is automation and not a human.

重要

你是否怀疑目前遇到来自应用的非法许可问题?Do you suspect you're experiencing problems with illicit consent-grants from an app, right now? Microsoft Cloud App Security (MCAS) 提供了用于检测、调查和修正 OAuth 应用的工具。Microsoft Cloud App Security (MCAS) has tools to detect, investigate, and remediate your OAuth apps. 本 MCAS 文章包含一个教程,概述了如何调查 有风险的 OAuth 应用This MCAS article has a tutorial that outlines how to go about investigating risky OAuth apps. 还可以设置 OAuth 应用策略以调查应用请求的权限(用户正在授权这些应用的权限)并广泛批准或禁止这些权限请求。You can also set OAuth app policies to investigate app-requested permissions, which users are authorizing these apps, and widely approve or ban these permissions requests.

你需要搜索安全审核日志,也称为"泄露指示器" (IOC) 攻击。You need to search the audit log to find signs, also called Indicators of Compromise (IOC) of this attack. 对于具有许多 Azure 注册应用程序和大型用户群的组织,最佳做法是每周查看一次组织同意授予。For organizations with many Azure-registered applications and a large user base, the best practice is to review your organizations consent grants on a weekly basis.

查找此攻击的迹象的步骤Steps for finding signs of this attack

  1. 打开安全&合规中心 https://protection.office.comOpen the Security & Compliance Center at https://protection.office.com.

  2. 导航到 "搜索", 然后选择"审核日志搜索"。Navigate to Search and select Audit log search.

  3. 搜索 (所有活动和所有用户) 并输入开始日期和结束日期(如果需要)然后单击"搜索 "。Search (all activities and all users) and enter the start date and end date if required and then click Search.

  4. 单击 "筛选结果 ",在"活动"字段中输入"同意 应用程序 "。Click Filter results and enter Consent to application in the Activity field.

  5. 单击结果以查看活动的详细信息。Click on the result to see the details of the activity. 单击 "详细信息 "获取活动的详细信息。Click More Information to get details of the activity. 检查 IsAdminContent 是否设置为 True。Check to see if IsAdminContent is set to True.

备注

在事件发生后,可能需要 30 分钟到 24 小时审核日志相应的项目条目显示在搜索结果中。It can take from 30 minutes up to 24 hours for the corresponding audit log entry to be displayed in the search results after an event occurs.

审核记录在 审核日志 中保留和搜索的时间长度取决于 Microsoft 365 订阅,特别是分配给特定用户的许可证类型。The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 subscription, and specifically the type of the license that is assigned to a specific user. 有关详细信息,请参阅审核 日志For more information, see Audit log.

如果此值为 true,则表明具有全局管理员访问权限的某人可能授予了对数据的广泛访问权。If this value is true, it indicates that someone with Global Administrator access may have granted broad access to data. 如果这是意外情况,请采取措施 确认攻击If this is unexpected, take steps to confirm an attack.

如何确认攻击How to confirm an attack

如果你有上面列出的一个或多个 ICS 实例,则需要进行进一步调查,以积极确认攻击已发生。If you have one or more instances of the IOCs listed above, you need to do further investigation to positively confirm that the attack occurred. 可以使用以下三种方法之一确认攻击:You can use any of these three methods to confirm the attack:

  • 使用 Azure Active Directory 门户清点应用程序及其权限。Inventory applications and their permissions using the Azure Active Directory portal. 此方法很全面,但一次只能检查一个用户,如果有许多用户要检查,则检查可能非常耗时。This method is thorough, but you can only check one user at a time which can be very time consuming if you have many users to check.

  • 使用 PowerShell 清点应用程序及其权限。Inventory applications and their permissions using PowerShell. 这是最快、最彻底的方法,开销最少。This is the fastest and most thorough method, with the least amount of overhead.

  • 让用户单独检查其应用和权限,将结果报告回管理员进行修正。Have your users individually check their apps and permissions and report the results back to the administrators for remediation.

清点组织中具有访问权限的应用Inventory apps with access in your organization

可以使用 Azure Active Directory 门户或 PowerShell 为用户执行此操作,也可以让用户单独枚举其应用程序访问权限。You can do this for your users with either the Azure Active Directory Portal, or PowerShell or have your users individually enumerate their application access.

使用 Azure Active Directory 门户的步骤Steps for using the Azure Active Directory Portal

可以使用 Azure Active Directory门户查找任何单个用户已授予权限的应用程序。You can look up the applications to which any individual user has granted permissions by using the Azure Active Directory Portal.

  1. 使用管理权限登录到 Azure 门户。Sign in to the Azure portal with administrative rights.

  2. 选择"Azure Active Directory"边栏选项卡。Select the Azure Active Directory blade.

  3. 选择 用户Select Users.

  4. 选择要查看的用户。Select the user that you want to review.

  5. 选择 "应用程序"。Select Applications.

这将显示分配给用户的应用以及应用程序具有的权限。This will show you the apps that are assigned to the user and what permissions the applications have.

让用户枚举其应用程序访问权限的步骤Steps for having your users enumerate their application access

让用户转到 并 https://myapps.microsoft.com 查看自己的应用程序访问权限。Have your users go to https://myapps.microsoft.com and review their own application access there. 他们应该能够查看所有具有访问权限的应用、查看有关它们的详细信息 (包括访问) 的范围,并能够撤消对可疑或非法应用的权限。They should be able to see all the apps with access, view details about them (including the scope of access), and be able to revoke privileges to suspicious or illicit apps.

使用 PowerShell 执行此操作的步骤Steps for doing this with PowerShell

验证非法同意授予攻击的最简单方法就是运行 Get-AzureADPSPermissions.ps1,这将将租户中所有用户的所有 OAuth 许可授权和 OAuth 应用转储到一个 .csv 文件中。The simplest way to verify the Illicit Consent Grant attack is to run Get-AzureADPSPermissions.ps1, which will dump all the OAuth consent grants and OAuth apps for all users in your tenancy into one .csv file.

先决条件Pre-requisites

  • 安装的 Azure AD PowerShell 库。The Azure AD PowerShell library installed.

  • 将针对其运行脚本的租户的全局管理员权限。Global administrator rights on the tenant that the script will be run against.

  • 将运行脚本的计算机上的本地管理员。Local Administrator on the computer from which will run the scripts.

重要

强烈建议您 要求对管理帐户进行多重身份验证。We highly recommend that you require multi-factor authentication on your administrative account. 此脚本支持 MFA 身份验证。This script supports MFA authentication.

  1. 使用本地管理员权限登录到您将从中运行脚本的计算机。Sign in to the computer that you will run the script from with local administrator rights.

  2. 从 GitHub 下载Get-AzureADPSPermissions.ps1 脚本,或将其复制到运行脚本的文件夹。Download or copy the Get-AzureADPSPermissions.ps1 script from GitHub to a folder from which you will run the script. 这将是将输出"permissions.csv"文件写入的同一文件夹。This will be the same folder to which the output "permissions.csv" file will be written.

  3. 以管理员角色打开 PowerShell 实例,然后打开脚本保存到的文件夹。Open a PowerShell instance as an administrator and open to the folder you saved the script to.

  4. 使用 Connect-AzureAD cmdlet 连接到目录。Connect to your directory using the Connect-AzureAD cmdlet.

  5. 运行此 PowerShell 命令:Run this PowerShell command:

    .\Get-AzureADPSPermissions.ps1 | Export-csv -Path "Permissions.csv" -NoTypeInformation
    

该脚本生成一个名为 Permissions.csv。The script produces one file named Permissions.csv. 按照以下步骤查找非法应用程序权限授予:Follow these steps to look for illicit application permission grants:

  1. 在 ConsentType 列 (G 列) 搜索值"AllPrinciples"。In the ConsentType column (column G) search for the value "AllPrinciples". AllPrincipals 权限允许客户端应用程序访问租赁中每个人的内容。The AllPrincipals permission allows the client application to access everyone's content in the tenancy. 本机 Microsoft 365 应用程序需要此权限才能正常工作。Native Microsoft 365 applications need this permission to work correctly. 应仔细查看每个具有此权限的非 Microsoft 应用程序。Every non-Microsoft application with this permission should be reviewed carefully.

  2. 在"权限 (列F) 查看每个委派应用程序对内容具有的权限。In the Permission column (column F) review the permissions that each delegated application has to content. 查找"读取"和"写入"权限或"*"。所有"权限,并仔细查看这些权限,因为它们可能不适合。Look for "Read" and "Write" permission or "*.All" permission, and review these carefully because they may not be appropriate.

  3. 查看已授予同意的特定用户。Review the specific users that have consents granted. 如果高配置文件或高影响力用户授予了不适当的同意,您应该进一步调查。If high profile or high impact users have inappropriate consents granted, you should investigate further.

  4. 在 ClientDisplayName 列 (列C#)查找看起来可疑的应用。In the ClientDisplayName column (column C) look for apps that seem suspicious. 应仔细查看具有拼写错误的名称、超级名称或黑客攻击名称的应用。Apps with misspelled names, super bland names, or hacker-sounding names should be reviewed carefully.

确定攻击范围Determine the scope of the attack

完成清点应用程序访问后,请查看 审核日志以确定泄露 的完整范围。After you have finished inventorying application access, review the audit log to determine the full scope of the breach. 搜索受影响的用户、非法应用程序有权访问您的组织的时间范围以及应用程序具有的权限。Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. 可以在 Microsoft 365 安全审核日志中心中搜索安全中心。You can search the audit log in the Microsoft 365 Security and Compliance Center.

重要

在攻击之前,必须为管理员和用户启用邮箱审核和活动审核才能获取此信息。Mailbox auditing and Activity auditing for admins and users must have been enabled prior to the attack for you to get this information.

在标识具有非法权限的应用程序后,您具有几种删除该访问权限的方法。After you have identified an application with illicit permissions, you have several ways to remove that access.

  • 可以通过以下方法在 Azure Active Directory 门户中撤销应用程序的权限:You can revoke the application's permission in the Azure Active Directory Portal by:

    • 在"Azure Active Directory 用户"边栏 选项卡中导航到受影响的 用户。Navigate to the affected user in the Azure Active Directory User blade.

    • 选择 "应用程序"。Select Applications.

    • 选择非法应用程序。Select the illicit application.

    • 向下 钻取中单击"删除"。Click Remove in the drill down.

  • 可以按照 Remove-AzureADOAuth2PermissionGrant中的步骤撤销对 PowerShell 的 OAuth 许可授权。You can revoke the OAuth consent grant with PowerShell by following the steps in Remove-AzureADOAuth2PermissionGrant.

  • 你可以按照 Remove-AzureADServiceAppRoleAssignment中的步骤使用 PowerShell 撤销服务应用角色分配。You can revoke the Service App Role Assignment with PowerShell by following the steps in Remove-AzureADServiceAppRoleAssignment.

  • 还可以完全禁用受影响帐户的登录,进而禁用应用访问该帐户的数据。You can also disable sign-in for the affected account altogether, which will in turn disable app access to data in that account. 当然,这不适合于最终用户的工作效率,但如果您正在努力快速限制影响,它可以是一个可行的短期修正。This isn't ideal for the end user's productivity, of course, but if you are working to limit impact quickly, it can be a viable short-term remediation.

  • 您可以关闭租赁的集成应用程序。You can turn integrated applications off for your tenancy. 这是一个重大步骤,禁用最终用户在租户范围内授予同意的能力。This is a drastic step that disables the ability for end users to grant consent on a tenant-wide basis. 这可以防止用户无意中授予对恶意应用程序的访问权限。This prevents your users from inadvertently granting access to a malicious application. 不建议这样做,因为它严重妨碍用户使用第三方应用程序提高工作效率的能力。This isn't strongly recommended as it severely impairs your users' ability to be productive with third party applications. 为此,可以按照打开或关闭集成 应用中的步骤操作You can do this by following the steps in Turning Integrated Apps on or off.

像网络安全专家那样保护 Microsoft 365Secure Microsoft 365 like a cybersecurity pro

你的 Microsoft 365 订阅附带了一组强大的安全功能,可用于保护你的数据和用户。Your Microsoft 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. 使用“Microsoft 365 安全路线图 - 前 30 天、90 天内以及之后的首要行动”,通过实施 Microsoft 建议的最佳做法来保护你的 Microsoft 365 租户。Use the Microsoft 365 security roadmap - Top priorities for the first 30 days, 90 days, and beyond to implement Microsoft recommended best practices for securing your Microsoft 365 tenant.

  • 需要在前 30 天完成的任务。Tasks to accomplish in the first 30 days. 这些任务会对你的用户产生直接影响并且影响很小。These have immediate affect and are low-impact to your users.

  • 需要在 90 天内完成的任务。Tasks to accomplish in 90 days. 这些任务需要花费更多时间来规划和实施,但会显著改善你的安全状况。These take a bit more time to plan and implement but greatly improve your security posture.

  • 90 天后。Beyond 90 days. 这些增强功能基于前 90 天的工作构建。These enhancements build in your first 90 days work.

另请参阅:See also: