Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Office 365 incident Response: BSides Vancouver 2018


Published on

As adoption for Office 365 increases, so will security incidents that involve Office 365. Despite the high adoption rates across industries, most companies still lack the ability to enforce proper security controls and they also lack the knowledge to respond to incidents quickly and effectively.

In this presentation, we will focus on attacker patterns in O365 environments, how to collect the data you need during an incident, and how to respond to common requests and questions, especially during phishing related cases. We will also look into some of the advanced security features Office 365 has to offer and when it would make sense to invest in them.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Office 365 incident Response: BSides Vancouver 2018

  1. 1. Twitter: @ParsonsProject Alex Parsons DFIR Consultant B|Sides Vancouver 2018 OFFICE 365 INCIDENT RESPONSE
  2. 2. @ParsonsProject Intro/Disclaimer + Alex Parsons − Consultant in Incident Response for Stroz Friedberg − Lives in Seattle; from Pennsylvania − Knows a lot about Microsoft technologies and Office 365 − Wrote one of the first papers on Windows 10 Forensics − Doesn’t know everything about Office 365 − Used to own a Windows Phone  − Opinions expressed are solely my own and do not express the views or opinions of Stroz Friedberg @ParsonsProject
  3. 3. @ParsonsProject Goals + Go over: − O365 Basics − Compromise Basics − Collection Details − Post-incident Process − Learn from my pain − We use a basic compromise example, but applicable for other cases. Assumption is you don’t have a SIEM connection in place.
  4. 4. @ParsonsProject TL;DR + Place holds on your compromised Mailboxes + Check your Azure Sign in Logs + Export your Audit Logs correctly + Use HAWK: − + Use Azure AD Conditional Access for prevention + Enable Multi-Factor Authentication (MFA) + Enable Multi-Factor Authentication (MFA) + Enable Multi-Factor Authentication (MFA)
  5. 5. @ParsonsProject What is Office 365? + Simple Idea from 2010 − Bring Microsoft’s on-premise servers to the cloud − Mail Servers − SharePoint Servers − Microsoft Lync/Skype for Business − Add Office Web Apps (like Google Docs) − Oh, and offer regular Office 2010 too 5
  6. 6. @ParsonsProject Wait, but what IS SharePoint? + Whatever you want it to be! (And it’s normally terribly designed) + Custom Websites + Custom Forms + Team Sites + OneDrive for Business
  7. 7. @ParsonsProject Does O365 do anything interesting though? + Since 2010 Microsoft has done a LOT − More services are becoming O365 only − OneDrive − Microsoft Teams − Yammer − Planner − Sway − Flow − Stream − Much, much more
  8. 8. @ParsonsProject Fun Fact
  9. 9. @ParsonsProject Compromise Lifecycle Attacker Sends Phish/Gets in via Brute Force • User Clicks on link, gives away credentials. Attacker Sends more phishing e-mails from trusted accounts, adds Mailbox Rules • Additional users click on phishing links • Users don’t see e-mails because the inbox rules Attacker Sends Wire Transfer request from compromised user. Adds Mailbox Rules • Receiver of Wire Transfer request trusts the e-mail, sends the money Attacker uses all Compromised accounts to spread phishing Campaign • Customers/Clients click on phishing links and the cycle continues New-InboxRule -StopProcessingRules:$True - AlwaysDeleteOutlookRulesBlob:$False -Force:$False -Name ... MarkAsRead:$True -DeleteMessage:$True - SubjectOrBodyContainsWords "delivery failure"; "don't open";"you have been hacked";error;spam;hacked;docusign;10/08/2017; wire Day 1 Day 5
  10. 10. @ParsonsProject When most Incidents Start
  11. 11. @ParsonsProject Scenario + Client calls you in, states that an Office 365 account was compromised. What is the first thing you should do? − Place a hold on the affected user’s mailbox − Collect Azure AD Sign In Logs (if possible) − Scan for Malicious Inbox Rules − Acquire Audit Logs Time To Live for logs in default environments − Azure Active Directory Sign-ins: 2-7 days (Depends on what you pay for) − Deleted Mail 14 days (Unless you place a hold on the mailbox) − Audit Logs: 90 days − Trace Logs: 90 Days − Exchange Audit Logs: 0 days, 90 days if enabled
  12. 12. @ParsonsProject Placing a hold on the Mailbox + TechNet Link + If you download you must use Microsoft Edge/IE
  13. 13. @ParsonsProject Azure Active Directory Sign-Ins + Very quick win if data within your time frame is there. (See TTL) + Every O365 environnent has Azure Active Directory + Look for foreign logons + Acquire AD Sign-in logs @
  14. 14. @ParsonsProject Ensure Attacker is out of environment + Check All Current Inbox/Mailbox rules + Check to see if any Current Inbox Rules are forwarding to an attacker (Script) + Collect Last Password Change Info (Script) + Check if any mailboxes are currently being forwarded (Link)
  15. 15. @ParsonsProject Audit Logs Guess which one of these three are enabled by default?
  16. 16. @ParsonsProject Audit Logs + Audit Logs detail user activity across the entire O365 environment + Office 365 Audit Logs are very useful but very frustrating + Audit Logs are not enabled by default + Exchange/Mail related logs are not enabled by default + JSON with nested JSON
  17. 17. @ParsonsProject Mailbox/Exchange Audit Logs + Not enabled by default Action Description Admin Delegate Owner Copy An item is copied to another folder. Yes No No Create An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn't audited. Yes* Yes* Yes FolderBind A mailbox folder is accessed. Yes* Yes** No HardDelete An item is deleted permanently from the Recoverable Items folder. Yes* Yes* Yes MailboxLogin The user signed in to their mailbox. No No Yes*** MessageBind An item is accessed in the reading pane or opened. Yes No No Move An item is moved to another folder. Yes* Yes Yes MoveToDeletedItems An item is moved to the Deleted Items folder. Yes* Yes Yes SendAs A message is sent using Send As permissions. Yes* Yes* No SendOnBehalf A message is sent using Send on Behalf permissions. Yes* Yes No SoftDelete An item is deleted from the Deleted Items folder. Yes* Yes* Yes Update An item's properties are updated. Yes* Yes* Yes Source: us/library/ff461937(v=exchg.160).aspx
  18. 18. @ParsonsProject Enabling Mailbox Audit Logs Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true –AuditOwner “Create, Update, HardDelete, MailboxLogin, Move, MoveToDeletedItems, SoftDelete” Important: You will have to run this script on a schedule as this enable mailbox auditing settings for all current users
  19. 19. @ParsonsProject Audit Logs Continued {"CreationTime":"2018-03-12T21:02:46","Id":"b0f7472d-4830-4b7a-8fc8- 08d5425c9b00","Operation":"MailboxLogin","OrganizationId":"88af9a01- 997d-4990-8895- 25d100f62ba5","RecordType":2,"ResultStatus":"Succeeded","UserKey":"10 543BFFD9B5F8EDF","UserType":0,"Version":1,"Workload":"Exchange","User Id":"","ClientIPAddress":“","ClientInf oString":"Client=/owa/SuiteServiceProxy.aspx; Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299","ExternalAccess":false,"InternalLogonType":0,"LogonTy pe":0,"LogonUserSid":"S-1-5-21-4210148372-1463556831-2082377497- 6089575","MailboxGuid":"64288e9b-0bfd-42cc-b08f- 0007f8630d51","MailboxOwnerSid":"S-1-5-21-4010148372-1463556831- 2083377497- 6089575","MailboxOwnerUPN":"","OrganizationName": "","OriginatingServer":"DM5PR17MB1322"}
  20. 20. @ParsonsProject Audit Logs Continued {"CreationTime":"2018-03-12T21:02:41","Id":"701ae50c-7da5-49fd-ccf2- 08d5885c9879","Operation":"FilePreviewed","OrganizationId":"88af9a01-997d-4990- 8895- 25d100f62ba5","RecordType":6,"UserKey":"i:0h.f|membership| ","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"","ObjectId":"https://contoso- data.docx","UserId":"","CorrelationId":"1a708197- 8123-43ec-b593- 1bae34e6432a","EventSource":"SharePoint","ItemType":"File","ListId":"8dd3b323-d4e3- 444d-9b33-adf13a56a411","ListItemUniqueId":"015cb92a-ea29-4bd8-8650- 8d965406047f","Site":"7a952c9d-8c29-471d-8d3a- 9b698639db45","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299","WebId":"577deac0-7c7e-4c60-9525- 942ac37d08ce","SourceFileExtension":"docx","SiteUrl":"https://contoso-","SourceFileName":" Sensitive data.docx","SourceRelativeUrl":"Documents"}
  21. 21. @ParsonsProject Pivoting with Audit Log Analysis + Take your Audit logs and do some IP lookups − Identify suspicious countries − Audit Logs ( − Azure AD Sign In Logs ( − Identify suspicious Ips − Proxy Providers − Cloud Providers − Identify common User Agents ","ClientIPAddress":“ ","ClientInfoString":"Client=/o wa/SuiteServiceProxy.aspx; Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"
  22. 22. @ParsonsProject Fun Fact #2 Vancouver 45.40 in Montreal: 39 in Toronto: 31 in
  23. 23. @ParsonsProject Acquiring Audit Logs (Without a SIEM) 1. Never trust the Audit log GUI 2. Never trust the Audit log GUI 3. Never ever trust the Audit Log GUI 4. ALWAYS Acquire Audit logs via PowerShell Audit Log GUI Issues − It will only export up to 50,000 lines per request and will not warn you − It sometimes won’t get all of the audit logs and won’t tell you − It sometimes will lie to you on how far back it can acquire audit logs Search-UnifiedAuditLog -Operations -StartDate 9/1/2017 -EndDate 10/1/2017 -UserIds -ResultSize 5000 | Export-Csv “aparsons.csv” Note: This command and others like it require you to connect to the Exchange Online shell via Powershell first (Tutorial)
  24. 24. @ParsonsProject Acquiring Audit Logs
  25. 25. @ParsonsProject Data Learned from Pain + Via PowerShell, you can’t acquire more than 10,000 records at a time, but you can do it sequentially and it will show you if you don’t acquire them all more clearly. + If you request too many logs in a short period of time Microsoft will lock you out for a few minutes. Check out Start-RobustCloudCommand.ps1 + If you use the GUI, you are limited to 50,000 events and no verification that you have all of the logs + Search for 90 days prior even if the client didn’t have audit logs enabled. + Overall, very frustrating process without a SIEM connection
  26. 26. @ParsonsProject Useful Audit Log searches + You can use PowerShell to search all audit logs that contain certain IP addresses (not 100% effective though): Search-UnifiedAuditLog -ResultSize 5000 -StartDate $startDate -EndDate $endDate -IPAddresses, 187.36.51.*| Export-Csv "MaliciousIP.csv" + You can also use PowerShell to search all audit logs for Mailbox Rule events to search for additional attacker activity (Only if Exchange logging has ben enabled by the client) Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations *-InboxRule | export-csv "AuditLogs_FullInboxRules.csv"
  27. 27. @ParsonsProject Quick Recap: What do we know? + With the data collected so far we should know the following: − Users that were compromised (If the attacker uses obvious foreign IP addresses or Proxy/VPN solutions) − Whether the attacker is currently in the environment or has malicious Mailbox Rules enabled − What mailbox rules (if any) the attacker may have created (If the client had mailbox logging enabled) − This can also help generate a list of users that were targeted. + Unanswered Questions − How many e-mails were sent by the attacker while the user was compromised? − How was the user originally compromised?
  28. 28. @ParsonsProject Surely we could Automate?
  29. 29. @ParsonsProject HAWK + PowerShell Module released in December 2017 + Made by Microsoft Support Engineers + HAWK will: − Parse successful logins and resolve the locations − Export Exchange related Audit Logs − Export Current Inbox Rules per user − Export Historical Inbox Rules − Export Permissions − Much much more + HAWK will NOT: − Collect all of your audit logs for you
  30. 30. @ParsonsProject HAWK + Process (Take a picture of this) 1. Install-Module –Name HAWK 2. Import-Module HAWK 3. Connect to Exchange Via PowerShell 4. Start-HawkTenantInvestigation 5. Start-HawkUserInvestigation User Investigation Export Subset Tenant Investigation Export Subset
  31. 31. @ParsonsProject Recap: Quick Wins + − Impossible Sign-ins − Suspicious Logins − Collect ALL sign-in logs + Run HAWK − Find Malicious Mailbox Rules − Get Locations of logins from Audit Logs
  32. 32. @ParsonsProject Finding Phishing E-mail + Look for E-mail within 5 days prior to the first malicious login + Often something like “John Smith has Shared a Document With you” + Attackers often delete and purge e-mails; Default TTL is 14 days + If e-mail is no longer present − Search the Trace Logs − Trace Logs are detailed logs regarding where the e-mail was sent from, and includes valuable IP addresses, however they do not have the contents. (Collection Tutorial) + If you need to search for more e-mails across the entire company, you can do that in the Search pane of the eDiscovery case (Tutorial) Content Searches will also work exactly the same. + Check out PIE!
  33. 33. @ParsonsProject Finding the Fraud e-mail + Office 365 sometimes keeps track of the IP address in the “x- originating-ip” header of the e-mail. Scanning the IP can help find what e-mails were sent fraudulently + Process for finding malicious IPs in a PST file − Process the PST in X-ways − Copy/export the processed EML files into a folder − Run an automated script to lookup IP addresses − Search for suspicious IPs in the report − Use X-ways/Grep to then search for the identified IPs within the PST
  34. 34. @ParsonsProject Preventative Techniques + Enable MFA + Look into Azure AD Conditional Access − Can automatically block suspicious logins (if configured) − Can blacklist IP subnets and locations − Catch: Requires Azure Active Directory Premium P2
  35. 35. @ParsonsProject Conclusion + Questions? + Contact/Follow me on Twitter: @parsonsproject − Will post this presentation on my Twitter