偵測並修正違法的同意授與Detect and Remediate Illicit Consent Grants

重要

改良的 Microsoft 365 安全性中心現在可供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new. 本主題僅適合適用於 Office 365 的 Microsoft Defender 和 Microsoft 365 Defender。This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. 請參閱 適用於 區段,並且尋找此文章中可能有所不同的特定圖說文字。Refer to the Applies To section and look for specific call-outs in this article where there might be differences.

適用於Applies to

摘要 了解如何識別並修正在 Office 365 中的非法同意授權。Summary Learn how to recognize and remediate the illicit consent grants attack in Office 365.

在非法同意授權攻擊中,攻擊者會建立已註冊 Azure 的應用程式,要求存取連絡人資訊、電子郵件或文件等資料。In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. 然後,攻擊者誘騙使用者授權該應用程式同意透過網路釣魚攻擊,或透過插入非法程式碼到信任的網站,來存取其資料。The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. 在非法應用程式獲得授權之後,就擁有資料的帳戶層級存取權,而不需要組織帳戶。After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. 一般補救步驟,例如重設遭入侵帳戶的密碼或要求帳戶的多重要素驗證 (MFA),對這類型攻擊是無效的,因為這些是第三方應用程式,而且在組織外部。Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization.

這些攻擊採用一種互動模型,這種模型會假正在呼叫資訊的實體是自動化,而不是人。These attacks leverage an interaction model which presumes the entity that is calling the information is automation and not a human.

重要

您是否懷疑遇到違法的同意問題-從應用程式授與的許可權?Do you suspect you're experiencing problems with illicit consent-grants from an app, right now? Microsoft Cloud App Security (MCAS) 具有偵測、調查和修正 OAuth 應用程式的工具。Microsoft Cloud App Security (MCAS) has tools to detect, investigate, and remediate your OAuth apps. 此 MCAS 文章包含的教學課程,說明如何 調查 OAuth 應用程式的風險This MCAS article has a tutorial that outlines how to go about investigating risky OAuth apps. 您也可以設定 OAuth 的應用程式原則 ,以調查應用程式要求的許可權,這些許可權是使用者授權這些應用程式,並廣泛核准或禁止這些許可權要求。You can also set OAuth app policies to investigate app-requested permissions, which users are authorizing these apps, and widely approve or ban these permissions requests.

您必須搜尋「 審計記錄 檔」,以尋找此攻擊的簽署,也稱為折衷 (IOC) 。You need to search the audit log to find signs, also called Indicators of Compromise (IOC) of this attack. 如果組織擁有許多 Azure 註冊應用程式和大量使用者,最佳做法就是每週檢閱您的組織同意授權。For organizations with many Azure-registered applications and a large user base, the best practice is to review your organizations consent grants on a weekly basis.

尋找此攻擊徵象的步驟Steps for finding signs of this attack

  1. 開啟 安全性 & 規範中心 ,網址為 https://protection.office.comOpen the Security & Compliance Center at https://protection.office.com.

  2. 流覽至 [ 搜尋 ],然後選取 [ 審核記錄搜尋]。Navigate to Search and select Audit log search.

  3. 搜尋 (所有活動和所有使用者) 並輸入開始日期和結束日期(如有需要),然後按一下 [ 搜尋]。Search (all activities and all users) and enter the start date and end date if required and then click Search.

  4. 按一下 [ 篩選結果 ],並在 [ 活動 ] 欄位中輸入應用程式同意。Click Filter results and enter Consent to application in the Activity field.

  5. 按一下結果以查看活動的詳細資料。Click on the result to see the details of the activity. 按一下 [ 詳細資訊 ] 以取得活動的詳細資料。Click More Information to get details of the activity. 請檢查 IsAdminContent 是否設定為 True。Check to see if IsAdminContent is set to True.

注意

在發生事件後,可在搜尋結果中顯示對應的審計記錄專案,最多可花30分鐘到24小時的時間。It can take from 30 minutes up to 24 hours for the corresponding audit log entry to be displayed in the search results after an event occurs.

在審核記錄中保留及可搜尋的審計記錄的時間長度,取決於您的 Microsoft 365 訂閱,特別是指派給特定使用者的授權類型。The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 subscription, and specifically the type of the license that is assigned to a specific user. 如需詳細資訊,請參閱稽核記錄For more information, see Audit log.

如果這個值為 true,表示擁有全域系統管理員存取權的人員可能已獲得資料的廣泛存取權。If this value is true, it indicates that someone with Global Administrator access may have granted broad access to data. 如果這是未預期的,請採取步驟以確認攻擊If this is unexpected, take steps to confirm an attack.

如何確認攻擊How to confirm an attack

如果您有上面所列的一或多個 IOC 執行個體,則必須進一步調查,以明確確認發生了攻擊。If you have one or more instances of the IOCs listed above, you need to do further investigation to positively confirm that the attack occurred. 您可以使用下列三種方法中的任何一種來確認攻擊:You can use any of these three methods to confirm the attack:

  • 使用 Azure Active Directory 入口網站來清查應用程式及其權限。Inventory applications and their permissions using the Azure Active Directory portal. 此方法很徹底,但是一次只能檢查一個使用者,如果要檢查的使用者很多,這會非常耗時。This method is thorough, but you can only check one user at a time which can be very time consuming if you have many users to check.

  • 使用 PowerShell 來清查應用程式及其權限。Inventory applications and their permissions using PowerShell. 這是最快也最徹底的方法,而且負擔最小。This is the fastest and most thorough method, with the least amount of overhead.

  • 讓您的使用者個別檢查其應用程式和授權,並將結果報告給系統管理員以進行修正。Have your users individually check their apps and permissions and report the results back to the administrators for remediation.

使用您組織中的存取權來清查應用程式。Inventory apps with access in your organization

您可以使用 Azure Active Directory 入口網站或 PowerShell 來為您使用者執行此動作,或請您的使用者個別列舉其應用程式存取權。You can do this for your users with either the Azure Active Directory Portal, or PowerShell or have your users individually enumerate their application access.

使用 Azure Active Directory 入口網站的步驟Steps for using the Azure Active Directory Portal

您可以使用 Azure Active Directory 入口網站來查閱任何個人使用者已獲授權的應用程式。You can look up the applications to which any individual user has granted permissions by using the Azure Active Directory Portal.

  1. 使用系統管理權限登入 Azure 入口網站。Sign in to the Azure Portal with administrative rights.

  2. 選取 [Azure Active Directory] 刀鋒視窗。Select the Azure Active Directory blade.

  3. 選取 [使用者]。Select Users.

  4. 選取您要檢閱的使用者。Select the user that you want to review.

  5. 選取 [應用程式]。Select Applications.

這會顯示指派給使用者的應用程式,以及應用程式的許可權。This will show you the apps that are assigned to the user and what permissions the applications have.

請您的使用者列舉其應用程式存取權的步驟Steps for having your users enumerate their application access

請您的使用者前往 https://myapps.microsoft.com,並在那裡查看自己的應用程式存取權。Have your users go to https://myapps.microsoft.com and review their own application access there. 他們應該能夠查看具有存取權的所有應用程式、查看相關的詳細資料 (包括存取範圍),並能夠撤銷可疑或非法應用程式的權限。They should be able to see all the apps with access, view details about them (including the scope of access), and be able to revoke privileges to suspicious or illicit apps.

使用 PowerShell 執行此動作的步驟Steps for doing this with PowerShell

驗證非法同意授權攻擊的最簡單方法是執行 Get-AzureADPSPermissions.ps1,它會將您租用戶中所有使用者的所有 OAuth 同意授權與 OAuth 應用程式都傾印到一個 .csv 檔案中。The simplest way to verify the Illicit Consent Grant attack is to run Get-AzureADPSPermissions.ps1, which will dump all the OAuth consent grants and OAuth apps for all users in your tenancy into one .csv file.

先決條件Pre-requisites

  • 已安裝 Azure AD PowerShell 程式庫。The Azure AD PowerShell library installed.

  • 將執行指令碼的租用戶的全域系統管理員權限。Global administrator rights on the tenant that the script will be run against.

  • 將執行指令碼的電腦上的本機系統管理員。Local Administrator on the computer from which will run the scripts.

重要

強烈建議 您在您的管理帳戶上需要多重要素驗證。We highly recommend that you require multi-factor authentication on your administrative account. 此指令碼支援 MFA 驗證。This script supports MFA authentication.

  1. 使用本機系統管理員權限登入您將執行指令碼的電腦。Sign in to the computer that you will run the script from with local administrator rights.

  2. Get-AzureADPSPermissions.ps1 腳本從 GitHub 下載或複製到您要執行腳本的資料夾。Download or copy the Get-AzureADPSPermissions.ps1 script from GitHub to a folder from which you will run the script. 此資料夾與寫入輸出「permissions.csv」檔案的資料夾是同一個。This will be the same folder to which the output "permissions.csv" file will be written.

  3. 以系統管理員身分開啟 PowerShell 執行個體,然後開啟您要儲存指令碼的資料夾。Open a PowerShell instance as an administrator and open to the folder you saved the script to.

  4. 使用 Connect-AzureAD Cmdlet 連線至您的目錄。Connect to your directory using the Connect-AzureAD cmdlet.

  5. 執行此 PowerShell 命令:Run this PowerShell command:

    Get-AzureADPSPermissions.ps1 | Export-csv -Path "Permissions.csv" -NoTypeInformation
    

指令碼會產生一個名為「Permissions.csv」的檔案。The script produces one file named Permissions.csv. 依照下列步驟尋找非法應用程式權限授權:Follow these steps to look for illicit application permission grants:

  1. 在 [ConsentType] 欄 (欄 G) 中,搜尋值「AllPrinciples」。In the ConsentType column (column G) search for the value "AllPrinciples". AllPrincipals 許可權可讓用戶端應用程式存取租使用者的所有人內容。The AllPrincipals permission allows the client application to access everyone's content in the tenancy. 原生 Microsoft 365 應用程式需要此許可權才能正確運作。Native Microsoft 365 applications need this permission to work correctly. 必須仔細檢閱具有此權限的每一個非 Microsoft 應用程式。Every non-Microsoft application with this permission should be reviewed carefully.

  2. 在 [Permission] 欄 (欄 F) 中,檢閱每個委派的應用程式對內容所擁有的權限。In the Permission column (column F) review the permissions that each delegated application has to content. 尋找「Read」和「Write」權限或「*.All」權限,並仔細加以檢閱,因為它們可能不適當。Look for "Read" and "Write" permission or "*.All" permission, and review these carefully because they may not be appropriate.

  3. 檢閱已獲同意授權的特定使用者。Review the specific users that have consents granted. 如果高設定檔或高度影響使用者擁有不適當的同意,您應進一步調查。If high profile or high impact users have inappropriate consents granted, you should investigate further.

  4. 在 [ClientDisplayName] 欄 (欄 C) 中,尋找看起來可疑的應用程式。In the ClientDisplayName column (column C) look for apps that seem suspicious. 應仔細檢查名稱拼錯、名稱超級簡單名稱或名稱像駭客的應用程式。Apps with misspelled names, super bland names, or hacker-sounding names should be reviewed carefully.

判斷攻擊的範圍Determine the scope of the attack

當您完成清查應用程式存取之後,請複查 審核記錄 以判斷破壞的完整範圍。After you have finished inventorying application access, review the audit log to determine the full scope of the breach. 搜尋受影響的使用者、非法應用程式有權存取您組織的時間範圍,以及應用程式擁有的權限。Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. 您可以在 [Microsoft 365 安全性與合規性中心] 中搜尋 稽核記錄You can search the audit log in the Microsoft 365 Security and Compliance Center.

重要

您必須在攻擊之前啟用 [信箱稽核] 和 [系統管理員與使用者的活動稽核],才能獲得此訊息。Mailbox auditing and Activity auditing for admins and users must have been enabled prior to the attack for you to get this information.

當您識別出有非法權限的應用程式之後,有多種方式可移除該存取權。After you have identified an application with illicit permissions, you have several ways to remove that access.

  • 您可以在 Azure Active Directory 入口網站中撤銷應用程式的權限,方法是:You can revoke the application's permission in the Azure Active Directory Portal by:

    • 在 [Azure Active Directory 使用者] 刀鋒視窗中瀏覽至受影響的使用者。Navigate to the affected user in the Azure Active Directory User blade.

    • 選取 [應用程式]。Select Applications.

    • 選取非法應用程式。Select the illicit application.

    • 按一下向下切入中的 [移除]。Click Remove in the drill down.

  • 您可以依照移除-AzureADOAuth2PermissionGrant 中的步驟,使用 PowerShell 撤銷 QAuth 同意授權。You can revoke the OAuth consent grant with PowerShell by following the steps in Remove-AzureADOAuth2PermissionGrant.

  • 您可以依照移除-AzureADServiceAppRoleAssignment 中的步驟,使用 PowerShell 撤銷服務應用程式角色指派。You can revoke the Service App Role Assignment with PowerShell by following the steps in Remove-AzureADServiceAppRoleAssignment.

  • 您也可以完全停用受影響帳戶的登入,這將會進一步停用該帳戶中應用程式對資料的存取權。You can also disable sign-in for the affected account altogether, which will in turn disable app access to data in that account. 當然,這對使用者的生產力並不理想,但是如果您正努力快速限制影響,這會是可行的短期補救。This isn't ideal for the end user's productivity, of course, but if you are working to limit impact quickly, it can be a viable short-term remediation.

  • 您可以關閉租用戶的整合式應用程式。You can turn integrated applications off for your tenancy. 這是一項重大步驟,會在整個租用戶範圍中停用使用者授權同意的能力。This is a drastic step that disables the ability for end users to grant consent on a tenant-wide basis. 這可防止您的使用者不小心授權存取惡意應用程式。This prevents your users from inadvertently granting access to a malicious application. 我們不建議您這麼做,因為這會嚴重影響使用者使用使用協力廠商應用程式的生產力。This isn't strongly recommended as it severely impairs your users' ability to be productive with third party applications. 若要這麼做,可以依照開啟或關閉整合式應用程式中的步驟進行。You can do this by following the steps in Turning Integrated Apps on or off.

像網路安全專業人員一般保護 Microsoft 365Secure Microsoft 365 like a cybersecurity pro

您的 Microsoft 365 訂閱隨附一組功能強大的安全性功能,可供您用來保護您的資料和您的使用者。Your Microsoft 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. 使用 Microsoft 365 安全性藍圖 - 前 30 天、前 90 天前和之後的最高優先順序來實作 Microsoft 建議用來保護您的 Microsoft 365 租用戶的最佳做法。Use the Microsoft 365 security roadmap - Top priorities for the first 30 days, 90 days, and beyond to implement Microsoft recommended best practices for securing your Microsoft 365 tenant.

  • 要在前 30 天內完成的工作。Tasks to accomplish in the first 30 days. 這些工作會有立即的影響,而且對您的使用者影響較低。These have immediate affect and are low-impact to your users.

  • 要在 90 天內完成的工作。Tasks to accomplish in 90 days. 這些工作需要多一些時間來計劃及實作,但是可以大幅改善您的安全性狀態。These take a bit more time to plan and implement but greatly improve your security posture.

  • 90 天之後。Beyond 90 days. 這些增強功能會在您的前 90 天工作內建置。These enhancements build in your first 90 days work.

另請參閱:See also: