DET0488 Detect abuse of Trusted Relationships (third-party and delegated admin access)

Item	Value
ID	DET0488
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1199 (Trusted Relationship)

Analytics

Windows

AN1344

Behavioral chain: (1) a login from a third-party account or untrusted source network establishes an interactive/remote session; (2) the session acquires elevated privileges or accesses sensitive resources atypical for that account; (3) subsequent lateral movement or data access occurs from the same session/device. Correlate Windows logon events, token elevation/privileged use, and resource access with third-party context.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Logon Session Metadata (DC0088)	WinEventLog:Security	EventCode=4776, 4771, 4770
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Application Log Content (DC0038)	WinEventLog:Security	EventCode=4663, 4670, 4656

Mutable Elements

Field	Description
ThirdPartyCIDRs	Ranges used by MSPs/contractors/VPN egress; used to enrich logons and network flows.
ExpectedAdminHosts	Servers where third-party admins are allowed; deviations raise risk.
TimeWindow	Correlation window linking logon → elevation → access (e.g., 30–120 minutes).
HighValueResources	File shares/AD objects/servers that should never be touched by third-party sessions.

Linux

AN1345

Behavioral chain: (1) sshd or federated SSO logins from third-party networks or identities; (2) rapid sudo/su privilege elevation; (3) access to sensitive paths or east-west SSH. Correlate auth logs, process execution, and network flows.

Log Sources

Data Component	Name	Channel
Logon Session Metadata (DC0088)	auditd:SYSCALL	execve,socket,connect,openat
Logon Session Creation (DC0067)	linux:syslog	Accepted publickey/password for * from * port * ssh2
Network Traffic Content (DC0085)	NSM:Flow	ssh connections originating from third-party CIDRs

Mutable Elements

Field	Description
ThirdPartyUsers	POSIX accounts assigned to vendors/partners.
AllowedJumpHosts	Bastion hosts permitted for third-party access.
MFAExpected	Flag indicating whether PAM/MFA should be present; used to score risk.

macOS

AN1346

Behavioral chain: (1) third-party interactive login or mobileconfig-based device enrollment; (2) privilege use or admin group change; (3) lateral movement mounts/ssh. Correlate unified logs and network telemetry.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	macos:unifiedlog	loginwindow or sshd successful login events
Logon Session Metadata (DC0088)	macos:unifiedlog	Group membership change for admin or wheel
Network Traffic Content (DC0085)	NSM:Flow	ssh/smb connections to internal resources from third-party devices

Mutable Elements

Field	Description
ManagedDeviceList	Known corp devices; treat unknown devices as higher risk.

Identity Provider

AN1347

Behavioral chain: (1) delegated admin or external identity establishes session (e.g., partner/reseller DAP, B2B guest, SAML/OAuth trust); (2) role elevation or app consent/permission grant; (3) downstream privileged actions in the tenant. Correlate IdP sign-in, admin/role assignment, and consent/admin-on-behalf events.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	azure:signinlogs	InteractiveUser, ServicePrincipalSignIn
Logon Session Metadata (DC0088)	azure:audit	Add delegated admin / Assign admin roles / Update application consent
Application Log Content (DC0038)	m365:unified	Set-PartnerOfRecord / CompanyAdministrator role assignments / New-DelegatedAdminRelationship

Mutable Elements

Field	Description
TrustedPartnerTenantIDs	Tenant IDs of approved partners; any others are suspicious.
RequiredMFA	Require MFA for partner sessions; alert on bypass or step-up failure.
RoleScopeAllowList	Roles third-parties may hold (e.g., Helpdesk Admin); flag broader scopes.

IaaS

AN1348

Behavioral chain: (1) cross-account or third-party principal assumes a role into the tenant/subscription/project; (2) privileged API calls are made in short succession; (3) access originates from unfamiliar networks or geos. Correlate assume-role/federation events with sensitive API usage.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	AWS:CloudTrail	AssumeRole,AssumeRoleWithSAML,AssumeRoleWithWebIdentity
Application Log Content (DC0038)	AWS:CloudTrail	CreateUser
Logon Session Metadata (DC0088)	gcp:audit	google.iam.credentials.generateAccessToken / serviceAccountTokenCreator

Mutable Elements

Field	Description
ExternalAccountAllowList	Cross-account principals permitted to assume roles; used for allow-listing.
SensitiveAPIs	Provider-specific list of risky APIs for scoring.
GeoVelocityThreshold	Detect impossible travel between partner and tenant actions.

SaaS

AN1349

Behavioral chain: (1) third-party app or admin connects via OAuth/marketplace install; (2) high-privilege scopes granted; (3) anomalous actions (mass read/exports, admin changes).

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	saas:googleworkspace	OAuth2 authorization grants / Admin role assignments
Logon Session Metadata (DC0088)	saas:salesforce	ConnectedApp OAuth policy change / Login as user

Mutable Elements

Field	Description
ApprovedApps	Catalog of sanctioned third-party apps and scopes.
ExportVolumeThreshold	Data export size/rate baselines to detect abnormal partner activity.

Office Suite

AN1350

Behavioral chain: (1) delegated administration offers/relationships created or modified by partner tenants; (2) mailbox delegation/impersonation enabled; (3) follow-on access from partner IPs.

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	m365:unified	Add-DelegatedAdmin, Set-PartnerOfRecord, Add-MailboxPermission, Set-OrganizationRelationship
Logon Session Creation (DC0067)	azure:signinlogs	InteractiveUser, NonInteractiveUser

Mutable Elements

Field	Description
MailboxDelegateAllowList	Specific mailboxes third-parties may manage.