Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan...
Transcript of Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan...
Forensically Sound Incident Response in Microsoft’s Office 365DEVON ACKERMAN | SANS DFIR SUMMIT 2018
Limitations and Drawbacks
• Logouts
• Messages
• Search Terms
• Attachments
• Length of Session
Audit log search isn’t turned on. To turn it on, click “Start recording user and admin activities” at the top of the page.
Start recording user and admin activities
1. Establish a
Global Admin
account
2. Identify at risk email
accounts
3. Export the log
4. Analysis
of the UAL
•O365 Security & Compliance
•https://protection.office.com
•O365 Admin Center
•https://portal.office.com/adminportal
•Windows Azure
•https://manage.windowsazure.com
•Windows PowerShell
•Pshell for O365 by Nathan Mitchell
Responding
1. Establish a Global Admin
account
2. Identify at risk email
accounts
3. Export the log
4. Analysis
of the UAL
Responding
1. Establish a Global Admin
account
2. Identify at risk email
accounts
3. Export the log
4. Analysis
of the UAL
Microsoft Humor…
• Microsoft’s browsers work best –Edge or IE11
• Certain fields will not populate or drop-down correctly in Firefox and Chrome
• The eDiscovery PST export tool requires Internet Explorer
• Azure AD
Get-Mailbox -ResultSize Unlimited -Filter
{RecipientTypeDetails -eq "UserMailbox"} |
Set-Mailbox -AuditEnabled $true -AuditOwner
“Update,
Move,
MoveToDeletedItems,
SoftDelete,
HardDelete,
Create,
MailboxLogin”
Responding
1. Establish a
Global Admin
account
2. Identify at risk email
accounts
3. Export the log
4. Analysis
of the UAL
Audit Data Example
• UserLoggedIn
• PasswordLogonInitialAuthUsingPassword
• ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken
• PasswordLogonInitialAuthUsingADFSFederatedToken
• ForeignRealmIndexLogonCookieCopyUsingDAToken
• PasswordLogonCookieCopyUsingDAToken
{"CreationTime":"2018-01-19T16:11:25","Id":"f8fast70-2bbe-456f-8sea-7513rfasf2541","Operation":"UserLoggedIn","OrganizationId":"b3bas52-8487-484f-8a41-45a6f1a235","RecordType":15,"ResultStatus":"Succeeded","UserKey":“[email protected]","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":“15.16.17.181","ObjectId":"Unknown","UserId":“[email protected]","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":"Microsoft Office\/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4737; Pro)"}, {"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"OrgIdWsTrust2:process"},{"Name":"ResultStatusDetail","Value":"Success"}],"Actor":[{"ID":"4d46d3bd-95b3-4cad-bcda-88cddfdc2c52","Type":0}, {"ID":"[email protected]","Type":5},{"ID":“1245ASGSAF312351","Type":3}],"ActorContextId":“fasd631-1240-4125c-9125a-b32515asg31", "ActorIpAddress":"15.16.17.181","InterSystemsId":"4dsF1-g12wb-512a-8sd-0a8asdzxg324","IntraSystemId":“adfas32-6afsd-4adf1-b562-f336135a14110","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":“fast12b-124f-490c-9a15-b60621e1617y","ApplicationId":“f13241-2412-4422-san-sr0ck$1rs38"}
{"CreationTime":"2018-01-19T16:11:25","Id":"f8fast70-2bbe-456f-8sea-7513rfasf2541","Operation":"UserLoggedIn","OrganizationId":"b3bas52-8487-484f-8a41-45a6f1a235","RecordType":15,"ResultStatus":"Succeeded","UserKey":“[email protected]","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":“15.16.17.181","ObjectId":"Unknown","UserId":“[email protected]","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":"Microsoft Office\/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4737; Pro)"}, {"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"OrgIdWsTrust2:process"},{"Name":"ResultStatusDetail","Value":"Success"}],"Actor":[{"ID":"4d46d3bd-95b3-4cad-bcda-88cddfdc2c52","Type":0}, {"ID":"[email protected]","Type":5},{"ID":“1245ASGSAF312351","Type":3}],"ActorContextId":“fasd631-1240-4125c-9125a-b32515asg31", "ActorIpAddress":"15.16.17.181","InterSystemsId":"4dsF1-g12wb-512a-8sd-0a8asdzxg324","IntraSystemId":“adfas32-6afsd-4adf1-b562-f336135a14110","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":“fast12b-124f-490c-9a15-b60621e1617y","ApplicationId":“f13241-2412-4422-san-sr0ck$1rs38"}
Add-MailboxPermission
Add-RecipientPermission
Set-Mailbox
The end goal of UAL analysis is to
identify if unauthorized access did
occur, when, and what else the
actor did while in the account
Groupings to be aware of
Mail rule creation
Geolocation of IP addresses
IPs that are part of netblocks
User Agent Strings
Baselining User Activity
Client=Microsoft.Exchange.Mapi; Microsoft Office/16.0 (Windows NT 6.1; Microsoft Outlook 16.0.8201; Pro)
Client=POP3/IMAP4;Protocol=IMAP4
Client=Microsoft.Exchange.ActiveSync; Apple-iPhone8C1/1302.143
New-InboxRule
Set-InboxRule
Set-Mailbox
Diving Deeper
• Search-UnifiedAuditLog -IPAddresses "123.123.123.123" -StartDate
MM/DD/YYYY -EndDate MM/DD/YYYY | Export-csv "C:\ipaddress.csv“
• Search-UnifiedAuditLog -IPAddresses IPaddress1,IPaddress2 -StartDate
MM/DD/YYYY -EndDate MM/DD/YYYY | Export-csv "C:\ipaddress.csv"
Beyond the UAL
Sufficient licensing level of O365 tenant is required
MICROSOFT’S AZURE ACTIVE DIRECTORY
Wrapping Up:
Bonus Round
• get-mailbox -id [email protected] | select whenCreated
• get-mailboxstatistics -id [email protected]
• get-mailbox [email protected] | fl name,*audit*
• “Search & investigation” > “Content search”
• Global Admin account > eDiscovery Admin role to preview and download results of searches.
Hello Frank,
Per our prior conversation, please let me know what you think about it.
Yours Truley,
Julie
Attachment: companyllp.doc
Julie,
Is this legitimate?
Thank you,
Frank
Frank,
Yes it is
Frank,
Yes it is, I sent it.
Email Analysis
• Phishing email w/an attachment
• forensics revealed that the user had opened the phishing email
• clicked the link
• accessed the web page
• had submitted their credentials
• after the webpage returned an error, the user then returned to the phishing email and sent back the following in a Reply:
“Send me something that I can open and not something that
makes me feel uncomfortable.”
Domain Auto Forwarding Blocks
PowerShell commands for domain-specific auto forwarding block
• New-RemoteDomain -Name ExternalDomain -DomainNamenotAboutDFIR.com
• Set-RemoteDomain -Identity ExternalDomain -AutoForwardEnabled:$FALSE
The change can be verified with the PowerShell command
• Get-RemoteDomain ExternalDomain | fl domainname,autoforwardenabled
• Another option can be found in the Office365 portal under: Admin\Security and Compliance\secure Score\Enable Client Forwarding Rules Block.
“For every security mechanism devised,
there is someone who will subvert or defeat it.”
@AboutDFIR
linkedin.com/in/devonackerman