forensically sound incident response in microsoft’s office 365•pshell for o365 by nathan...
TRANSCRIPT
![Page 1: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/1.jpg)
Forensically Sound Incident Response in Microsoft’s Office 365DEVON ACKERMAN | SANS DFIR SUMMIT 2018
![Page 2: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/2.jpg)
![Page 3: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/3.jpg)
Limitations and Drawbacks
• Logouts
• Messages
• Search Terms
• Attachments
• Length of Session
![Page 4: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/4.jpg)
Audit log search isn’t turned on. To turn it on, click “Start recording user and admin activities” at the top of the page.
Start recording user and admin activities
![Page 5: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/5.jpg)
![Page 6: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/6.jpg)
1. Establish a
Global Admin
account
2. Identify at risk email
accounts
3. Export the log
4. Analysis
of the UAL
![Page 7: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/7.jpg)
•O365 Security & Compliance
•https://protection.office.com
•O365 Admin Center
•https://portal.office.com/adminportal
•Windows Azure
•https://manage.windowsazure.com
•Windows PowerShell
•Pshell for O365 by Nathan Mitchell
![Page 8: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/8.jpg)
Responding
1. Establish a Global Admin
account
2. Identify at risk email
accounts
3. Export the log
4. Analysis
of the UAL
![Page 9: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/9.jpg)
Responding
1. Establish a Global Admin
account
2. Identify at risk email
accounts
3. Export the log
4. Analysis
of the UAL
![Page 10: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/10.jpg)
![Page 11: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/11.jpg)
Microsoft Humor…
• Microsoft’s browsers work best –Edge or IE11
• Certain fields will not populate or drop-down correctly in Firefox and Chrome
• The eDiscovery PST export tool requires Internet Explorer
• Azure AD
![Page 12: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/12.jpg)
![Page 13: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/13.jpg)
![Page 14: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/14.jpg)
Get-Mailbox -ResultSize Unlimited -Filter
{RecipientTypeDetails -eq "UserMailbox"} |
Set-Mailbox -AuditEnabled $true -AuditOwner
“Update,
Move,
MoveToDeletedItems,
SoftDelete,
HardDelete,
Create,
MailboxLogin”
![Page 15: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/15.jpg)
Responding
1. Establish a
Global Admin
account
2. Identify at risk email
accounts
3. Export the log
4. Analysis
of the UAL
![Page 16: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/16.jpg)
Audit Data Example
![Page 17: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/17.jpg)
![Page 18: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/18.jpg)
• UserLoggedIn
• PasswordLogonInitialAuthUsingPassword
• ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken
• PasswordLogonInitialAuthUsingADFSFederatedToken
• ForeignRealmIndexLogonCookieCopyUsingDAToken
• PasswordLogonCookieCopyUsingDAToken
![Page 19: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/19.jpg)
{"CreationTime":"2018-01-19T16:11:25","Id":"f8fast70-2bbe-456f-8sea-7513rfasf2541","Operation":"UserLoggedIn","OrganizationId":"b3bas52-8487-484f-8a41-45a6f1a235","RecordType":15,"ResultStatus":"Succeeded","UserKey":“[email protected]","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":“15.16.17.181","ObjectId":"Unknown","UserId":“[email protected]","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":"Microsoft Office\/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4737; Pro)"}, {"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"OrgIdWsTrust2:process"},{"Name":"ResultStatusDetail","Value":"Success"}],"Actor":[{"ID":"4d46d3bd-95b3-4cad-bcda-88cddfdc2c52","Type":0}, {"ID":"[email protected]","Type":5},{"ID":“1245ASGSAF312351","Type":3}],"ActorContextId":“fasd631-1240-4125c-9125a-b32515asg31", "ActorIpAddress":"15.16.17.181","InterSystemsId":"4dsF1-g12wb-512a-8sd-0a8asdzxg324","IntraSystemId":“adfas32-6afsd-4adf1-b562-f336135a14110","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":“fast12b-124f-490c-9a15-b60621e1617y","ApplicationId":“f13241-2412-4422-san-sr0ck$1rs38"}
![Page 20: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/20.jpg)
{"CreationTime":"2018-01-19T16:11:25","Id":"f8fast70-2bbe-456f-8sea-7513rfasf2541","Operation":"UserLoggedIn","OrganizationId":"b3bas52-8487-484f-8a41-45a6f1a235","RecordType":15,"ResultStatus":"Succeeded","UserKey":“[email protected]","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":“15.16.17.181","ObjectId":"Unknown","UserId":“[email protected]","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":"Microsoft Office\/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4737; Pro)"}, {"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"OrgIdWsTrust2:process"},{"Name":"ResultStatusDetail","Value":"Success"}],"Actor":[{"ID":"4d46d3bd-95b3-4cad-bcda-88cddfdc2c52","Type":0}, {"ID":"[email protected]","Type":5},{"ID":“1245ASGSAF312351","Type":3}],"ActorContextId":“fasd631-1240-4125c-9125a-b32515asg31", "ActorIpAddress":"15.16.17.181","InterSystemsId":"4dsF1-g12wb-512a-8sd-0a8asdzxg324","IntraSystemId":“adfas32-6afsd-4adf1-b562-f336135a14110","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":“fast12b-124f-490c-9a15-b60621e1617y","ApplicationId":“f13241-2412-4422-san-sr0ck$1rs38"}
![Page 21: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/21.jpg)
Add-MailboxPermission
Add-RecipientPermission
Set-Mailbox
![Page 22: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/22.jpg)
The end goal of UAL analysis is to
identify if unauthorized access did
occur, when, and what else the
actor did while in the account
![Page 23: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/23.jpg)
Groupings to be aware of
Mail rule creation
Geolocation of IP addresses
IPs that are part of netblocks
User Agent Strings
Baselining User Activity
![Page 24: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/24.jpg)
Client=Microsoft.Exchange.Mapi; Microsoft Office/16.0 (Windows NT 6.1; Microsoft Outlook 16.0.8201; Pro)
Client=POP3/IMAP4;Protocol=IMAP4
Client=Microsoft.Exchange.ActiveSync; Apple-iPhone8C1/1302.143
![Page 25: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/25.jpg)
New-InboxRule
Set-InboxRule
Set-Mailbox
![Page 26: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/26.jpg)
![Page 27: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/27.jpg)
Diving Deeper
• Search-UnifiedAuditLog -IPAddresses "123.123.123.123" -StartDate
MM/DD/YYYY -EndDate MM/DD/YYYY | Export-csv "C:\ipaddress.csv“
• Search-UnifiedAuditLog -IPAddresses IPaddress1,IPaddress2 -StartDate
MM/DD/YYYY -EndDate MM/DD/YYYY | Export-csv "C:\ipaddress.csv"
![Page 28: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/28.jpg)
Beyond the UAL
Sufficient licensing level of O365 tenant is required
MICROSOFT’S AZURE ACTIVE DIRECTORY
![Page 29: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/29.jpg)
Wrapping Up:
Bonus Round
![Page 30: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/30.jpg)
• get-mailbox -id [email protected] | select whenCreated
• get-mailboxstatistics -id [email protected]
• get-mailbox [email protected] | fl name,*audit*
![Page 31: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/31.jpg)
• “Search & investigation” > “Content search”
• Global Admin account > eDiscovery Admin role to preview and download results of searches.
![Page 32: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/32.jpg)
Hello Frank,
Per our prior conversation, please let me know what you think about it.
Yours Truley,
Julie
Attachment: companyllp.doc
![Page 33: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/33.jpg)
Julie,
Is this legitimate?
Thank you,
Frank
![Page 34: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/34.jpg)
Frank,
Yes it is
Frank,
Yes it is, I sent it.
![Page 35: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/35.jpg)
Email Analysis
• Phishing email w/an attachment
• forensics revealed that the user had opened the phishing email
• clicked the link
• accessed the web page
• had submitted their credentials
• after the webpage returned an error, the user then returned to the phishing email and sent back the following in a Reply:
“Send me something that I can open and not something that
makes me feel uncomfortable.”
![Page 36: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/36.jpg)
Domain Auto Forwarding Blocks
PowerShell commands for domain-specific auto forwarding block
• New-RemoteDomain -Name ExternalDomain -DomainNamenotAboutDFIR.com
• Set-RemoteDomain -Identity ExternalDomain -AutoForwardEnabled:$FALSE
The change can be verified with the PowerShell command
• Get-RemoteDomain ExternalDomain | fl domainname,autoforwardenabled
• Another option can be found in the Office365 portal under: Admin\Security and Compliance\secure Score\Enable Client Forwarding Rules Block.
![Page 37: Forensically Sound Incident Response in Microsoft’s Office 365•Pshell for O365 by Nathan Mitchell. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts](https://reader033.vdocument.in/reader033/viewer/2022042011/5e723df418998943ba587eee/html5/thumbnails/37.jpg)
“For every security mechanism devised,
there is someone who will subvert or defeat it.”
@AboutDFIR
linkedin.com/in/devonackerman