Forensically Sound Incident Response in Microsoft’s Office 365DEVON ACKERMAN | SANS DFIR SUMMIT 2018

Limitations and Drawbacks

• Logouts

• Messages

• Search Terms

• Attachments

• Length of Session

Audit log search isn’t turned on. To turn it on, click “Start recording user and admin activities” at the top of the page.

Start recording user and admin activities

1. Establish a

Global Admin

account

2. Identify at risk email

accounts

3. Export the log

4. Analysis

of the UAL

•O365 Security & Compliance

•https://protection.office.com

•O365 Admin Center

•https://portal.office.com/adminportal

•Windows Azure

•https://manage.windowsazure.com

•Windows PowerShell

•Pshell for O365 by Nathan Mitchell

Responding

1. Establish a Global Admin

account

2. Identify at risk email

accounts

3. Export the log

4. Analysis

of the UAL

Responding

1. Establish a Global Admin

account

2. Identify at risk email

accounts

3. Export the log

4. Analysis

of the UAL

Microsoft Humor…

• Microsoft’s browsers work best –Edge or IE11

• Certain fields will not populate or drop-down correctly in Firefox and Chrome

• The eDiscovery PST export tool requires Internet Explorer

• Azure AD

Get-Mailbox -ResultSize Unlimited -Filter

{RecipientTypeDetails -eq "UserMailbox"} |

Set-Mailbox -AuditEnabled $true -AuditOwner

“Update,

Move,

MoveToDeletedItems,

SoftDelete,

HardDelete,

Create,

MailboxLogin”

Responding

1. Establish a

Global Admin

account

2. Identify at risk email

accounts

3. Export the log

4. Analysis

of the UAL

Audit Data Example

• UserLoggedIn

• PasswordLogonInitialAuthUsingPassword

• ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken

• PasswordLogonInitialAuthUsingADFSFederatedToken

• ForeignRealmIndexLogonCookieCopyUsingDAToken

• PasswordLogonCookieCopyUsingDAToken

{"CreationTime":"2018-01-19T16:11:25","Id":"f8fast70-2bbe-456f-8sea-7513rfasf2541","Operation":"UserLoggedIn","OrganizationId":"b3bas52-8487-484f-8a41-45a6f1a235","RecordType":15,"ResultStatus":"Succeeded","UserKey":“123451BEEF125@AboutDFIR.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":“15.16.17.181","ObjectId":"Unknown","UserId":“devon.ackerman@AboutDFIR.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":"Microsoft Office\/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4737; Pro)"}, {"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"OrgIdWsTrust2:process"},{"Name":"ResultStatusDetail","Value":"Success"}],"Actor":[{"ID":"4d46d3bd-95b3-4cad-bcda-88cddfdc2c52","Type":0}, {"ID":"devon.ackerman@AboutDFIR.com","Type":5},{"ID":“1245ASGSAF312351","Type":3}],"ActorContextId":“fasd631-1240-4125c-9125a-b32515asg31", "ActorIpAddress":"15.16.17.181","InterSystemsId":"4dsF1-g12wb-512a-8sd-0a8asdzxg324","IntraSystemId":“adfas32-6afsd-4adf1-b562-f336135a14110","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":“fast12b-124f-490c-9a15-b60621e1617y","ApplicationId":“f13241-2412-4422-san-sr0ck$1rs38"}

{"CreationTime":"2018-01-19T16:11:25","Id":"f8fast70-2bbe-456f-8sea-7513rfasf2541","Operation":"UserLoggedIn","OrganizationId":"b3bas52-8487-484f-8a41-45a6f1a235","RecordType":15,"ResultStatus":"Succeeded","UserKey":“123451BEEF125@AboutDFIR.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":“15.16.17.181","ObjectId":"Unknown","UserId":“devon.ackerman@AboutDFIR.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":"Microsoft Office\/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4737; Pro)"}, {"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"OrgIdWsTrust2:process"},{"Name":"ResultStatusDetail","Value":"Success"}],"Actor":[{"ID":"4d46d3bd-95b3-4cad-bcda-88cddfdc2c52","Type":0}, {"ID":"devon.ackerman@AboutDFIR.com","Type":5},{"ID":“1245ASGSAF312351","Type":3}],"ActorContextId":“fasd631-1240-4125c-9125a-b32515asg31", "ActorIpAddress":"15.16.17.181","InterSystemsId":"4dsF1-g12wb-512a-8sd-0a8asdzxg324","IntraSystemId":“adfas32-6afsd-4adf1-b562-f336135a14110","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":“fast12b-124f-490c-9a15-b60621e1617y","ApplicationId":“f13241-2412-4422-san-sr0ck$1rs38"}

Add-MailboxPermission

Add-RecipientPermission

Set-Mailbox

The end goal of UAL analysis is to

identify if unauthorized access did

occur, when, and what else the

actor did while in the account

Groupings to be aware of

Mail rule creation

Geolocation of IP addresses

IPs that are part of netblocks

User Agent Strings

Baselining User Activity

Client=Microsoft.Exchange.Mapi; Microsoft Office/16.0 (Windows NT 6.1; Microsoft Outlook 16.0.8201; Pro)

Client=POP3/IMAP4;Protocol=IMAP4

Client=Microsoft.Exchange.ActiveSync; Apple-iPhone8C1/1302.143

New-InboxRule

Set-InboxRule

Set-Mailbox

Diving Deeper

• Search-UnifiedAuditLog -IPAddresses "123.123.123.123" -StartDate

MM/DD/YYYY -EndDate MM/DD/YYYY | Export-csv "C:\ipaddress.csv“

• Search-UnifiedAuditLog -IPAddresses IPaddress1,IPaddress2 -StartDate

MM/DD/YYYY -EndDate MM/DD/YYYY | Export-csv "C:\ipaddress.csv"

Beyond the UAL

Sufficient licensing level of O365 tenant is required

MICROSOFT’S AZURE ACTIVE DIRECTORY

Wrapping Up:

Bonus Round

• get-mailbox -id devon@AboutDFIR.com | select whenCreated

• get-mailboxstatistics -id devon@AboutDFIR.com

• get-mailbox devon@AboutDFIR.com | fl name,*audit*

• “Search & investigation” > “Content search”

• Global Admin account > eDiscovery Admin role to preview and download results of searches.

Hello Frank,

Per our prior conversation, please let me know what you think about it.

Yours Truley,

Julie

Attachment: companyllp.doc

Julie,

Is this legitimate?

Thank you,

Frank

Frank,

Yes it is

Frank,

Yes it is, I sent it.

Email Analysis

• Phishing email w/an attachment

• forensics revealed that the user had opened the phishing email

• clicked the link

• accessed the web page

• had submitted their credentials

• after the webpage returned an error, the user then returned to the phishing email and sent back the following in a Reply:

“Send me something that I can open and not something that

makes me feel uncomfortable.”

Domain Auto Forwarding Blocks

PowerShell commands for domain-specific auto forwarding block

• New-RemoteDomain -Name ExternalDomain -DomainNamenotAboutDFIR.com

• Set-RemoteDomain -Identity ExternalDomain -AutoForwardEnabled:$FALSE

The change can be verified with the PowerShell command

• Get-RemoteDomain ExternalDomain | fl domainname,autoforwardenabled

• Another option can be found in the Office365 portal under: Admin\Security and Compliance\secure Score\Enable Client Forwarding Rules Block.

“For every security mechanism devised,

there is someone who will subvert or defeat it.”

@AboutDFIR

linkedin.com/in/devonackerman