As adoption for Office 365 increases, so will security incidents that involve Office 365. Despite the high adoption rates across industries, most companies still lack the ability to enforce proper security controls and they also lack the knowledge to respond to incidents quickly and effectively.
In this presentation, we will focus on attacker patterns in O365 environments, how to collect the data you need during an incident, and how to respond to common requests and questions, especially during phishing related cases. We will also look into some of the advanced security features Office 365 has to offer and when it would make sense to invest in them.
Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018Kroll
Presented at the 2018 SANS DFIR Summit by Devon Ackerman, Associate Managing Director, Cyber Risk
A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. Devon Ackerman’s presentation is based on two years’ worth of collection of forensics and incident response data in Microsoft’s Office 365 and Azure environments, combining knowledge from over a hundred Office 365 investigations, primarily centered around Business Email Compromise (BEC) and insider threat cases.
Densely packed into a 35-minute presentation, Devon walks through the numerous forensic, incident response, and evidentiary aspects of Office 365.
More from Devon Ackerman: https://www.kroll.com/en-us/who-we-are/kroll-experts/devon-ackerman
Network Scanning Phases and Supporting ToolsJoseph Bugeja
This presentation focuses on the network penetration scanning phase. It introduces tools and techniques that professional pen-testers and ethical hackers need to master to find target machines, openings on those targets and vulnerabilities.
The document discusses mobile security tips for smartphones. It recommends enabling a password on one's phone, installing anti-virus software, keeping the operating system updated, only downloading apps from official app stores, being cautious on public WiFi networks, turning off Bluetooth when not in use, and backing up one's data regularly. Following these tips can help protect a smartphone from cyber threats and data loss.
This document discusses various types of network attacks and countermeasures. It describes mapping to study a victim's network before attacking, packet sniffing where a host can read unencrypted communication, spoofing where an attacker takes a target's IP address to remain anonymous, and DoS/DDoS attacks which aim to overload services and bring them down. Hijacking combines different attack techniques to disrupt an entire network. The document provides details on each attack method and their techniques.
Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.
Brute force attacks attempt to gain unauthorized access to a system or decrypt encrypted data by systematically checking all possible combinations of characters. For a 2-character password there are 3,844 possible guesses using letters, numbers and symbols. Longer, more complex passwords that avoid common words and personal details make brute force attacks much less likely to succeed. System owners can also implement countermeasures like attempt limits, IP restrictions and CAPTCHAs to deter online brute force attacks.
OSINT x UCCU Workshop on Open Source IntelligencePhilippe Lin
OSINT is a reconnaissance of intelligence from publicly available information to address a specific intelligence requirement. The slides are used in UCCU's workshop of OSINT.
Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018Kroll
Presented at the 2018 SANS DFIR Summit by Devon Ackerman, Associate Managing Director, Cyber Risk
A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. Devon Ackerman’s presentation is based on two years’ worth of collection of forensics and incident response data in Microsoft’s Office 365 and Azure environments, combining knowledge from over a hundred Office 365 investigations, primarily centered around Business Email Compromise (BEC) and insider threat cases.
Densely packed into a 35-minute presentation, Devon walks through the numerous forensic, incident response, and evidentiary aspects of Office 365.
More from Devon Ackerman: https://www.kroll.com/en-us/who-we-are/kroll-experts/devon-ackerman
Network Scanning Phases and Supporting ToolsJoseph Bugeja
This presentation focuses on the network penetration scanning phase. It introduces tools and techniques that professional pen-testers and ethical hackers need to master to find target machines, openings on those targets and vulnerabilities.
The document discusses mobile security tips for smartphones. It recommends enabling a password on one's phone, installing anti-virus software, keeping the operating system updated, only downloading apps from official app stores, being cautious on public WiFi networks, turning off Bluetooth when not in use, and backing up one's data regularly. Following these tips can help protect a smartphone from cyber threats and data loss.
This document discusses various types of network attacks and countermeasures. It describes mapping to study a victim's network before attacking, packet sniffing where a host can read unencrypted communication, spoofing where an attacker takes a target's IP address to remain anonymous, and DoS/DDoS attacks which aim to overload services and bring them down. Hijacking combines different attack techniques to disrupt an entire network. The document provides details on each attack method and their techniques.
Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.
Brute force attacks attempt to gain unauthorized access to a system or decrypt encrypted data by systematically checking all possible combinations of characters. For a 2-character password there are 3,844 possible guesses using letters, numbers and symbols. Longer, more complex passwords that avoid common words and personal details make brute force attacks much less likely to succeed. System owners can also implement countermeasures like attempt limits, IP restrictions and CAPTCHAs to deter online brute force attacks.
OSINT x UCCU Workshop on Open Source IntelligencePhilippe Lin
OSINT is a reconnaissance of intelligence from publicly available information to address a specific intelligence requirement. The slides are used in UCCU's workshop of OSINT.
This document introduces tools for open source intelligence (OSINT) including Shodan, Recon-ng, FOCA, and Maltego. It provides an overview of each tool, including their purpose and basic usage. Shodan is an internet search engine that allows searching devices connected over the internet. Recon-ng is a web reconnaissance framework for OSINT. FOCA extracts metadata from files. Maltego is an OSINT application that extracts and visually represents relationships in extracted data through entities, transforms, and machines. The document demonstrates features of each tool and provides resources for OSINT.
The document discusses open source intelligence (OSINT), including what it is, how it is used, techniques for gathering it, and tools that can be used. OSINT involves collecting publicly available data for intelligence purposes. It is produced from public sources and addresses specific intelligence needs. Security professionals use OSINT to identify vulnerabilities in organizations from accidental information leaks online or exposed assets. However, threat actors also use OSINT to find targets and vulnerabilities to exploit. The document recommends using OSINT proactively to find and address weaknesses before threats actors do. It provides examples of tools like Excel, OSINT Framework, Github search, and Wappalyzer that can be used to search public data and identify technical details about organizations and vulnerabilities.
The Internet is a fun place to be, but it is full of dangers too.This presentation helps you understand:
a. Types of Threats on the Internet
b. The Dos of Internet Security
c. The Don'ts of Internet Security
From email address to phone number, a new OSINT approachMartin Vigo
Email addresses are one of our most public piece of PII. We
are confortable sharing it with strangers, publishing it on the
internet and it is generally our public way of communicating.
However, when it comes to phone numbers things change. We are more
selective with who we share it with, mostly because receiving
unsolicited phone calls is much more invasive. There are also security
implications when making your phone number publicly available. SS7
attacks, SIM swapping, phishing and scam calls are just a few of the
threats that originate from the target’s phone number.
What if it were possible to obtain someone’s phone number by only
knowing their email address? Beyond the criminal advantage, it could
be very useful to investigators, red teams and OSINT lovers.
In this talk, I will discuss techniques which when combined will let
you discover someone’s phone number via their email address. I will
also demo and release a tool that helps automate the process.
This document discusses the need for intrusion detection systems (IDS) and different types of IDS. It notes that insider threats account for a significant percentage of data breaches. IDS can help mitigate risks from unauthorized access by monitoring for attacks, detecting system misconfigurations, and identifying abnormal user activity. The document outlines two main IDS techniques - anomaly detection and signature-based detection - and describes host-based and network-based IDS. It also discusses challenges in implementing IDS such as false positives, false negatives, and ensuring appropriate follow up on alerts.
This document discusses packet sniffing and ARP poisoning on a local area network (LAN). It begins by explaining that packet sniffing involves monitoring all network packets and putting the network card into promiscuous mode. It then discusses how ARP works to convert IP addresses to MAC addresses and maintains an ARP cache. The document goes on to explain how ARP poisoning, a type of attack, works by sending falsified ARP messages to associate the attacker's MAC address with a legitimate IP address, allowing the attacker to intercept network traffic. It provides an example of using the tool Cain and Abel to conduct ARP poisoning on a sample LAN to sniff usernames and passwords entered on a website.
The document discusses a rootkit that was discovered on a computer after inserting a Sony music CD protected with DRM software. The rootkit was found to be related to the DRM software from First 4 Internet called XCP that was installed without consent in order to enforce the CD's copy restrictions. The software cloaked files and processes and was found to scan running processes, compromising privacy and system performance. No uninstallation method was provided.
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARIBGA Cyber Security
Yazı kısaca Microsoft SQL Server bulunan bir ağ içerisinde hedef veritabanı üzerinde keşif çalışmaları nasıl yapılır, yetkili hesap bilgisi nasıl ele geçirilir, ele geçirilen hesap ile diğer hesapların parola özetleri nasıl ele geçirilir, yetkisiz hesap ile nasıl hak yükseltilir ve ele geçirilen hesap ile işletim sistemi nasıl ele geçirilir sorularına cevap verecek şekilde ve bu konuda fikir vermesi amacıyla hazırlanmıştır.
Splunk for Enterprise Security featuring User Behavior Analytics Splunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
DNS hijacking using cloud providers – No verification neededFrans Rosén
This is my talk from OWASP Appsec EU and also Security Fest 2017.
A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.
Malicious Url Detection Using Machine Learningsecurityxploded
This document discusses using machine learning to detect malicious URLs. It proposes extracting various features from URLs, including querying blacklists, domain registration information, host properties, and lexical features of the URL. These features are then used to train classifiers like logistic regression to distinguish benign from malicious URLs. The approach is shown to achieve over 86.5% accuracy in detecting malicious URLs using a diverse set of over 18,000 features, performing better than blacklists alone. Future work includes scaling the approach for deployment and incorporating webpage content analysis.
Splunk is like an iceberg, on the surface we see the major components: indexers, search heads, license master, cluster master but under the water line we have a huge number of forwarders collecting and aggregating data streams. These forwarders are the foundations of any installation and configuration issues translate into problems with alerts, search performance, cluster stability and scaling out. This talk shows you to various ways to measure the efficiency of data collection and how to improve it. Prepare for lots of complex searches to identify common problems and charts that show good and bad. The talk aims to revolutionise how you think about forwarders and data collection in Splunk and turbo charge your platform performance and improve stability.
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
Having just celebrated it's 10th birthday, Suricata has learned a lot about monitoring network traffic during the past decade. Suricata today is more than IDS/IPS— it is also a metadata creating, lua scripting, multi threaded, json logging, rule alerting, network security monitoring beast. Development for Suricata is funded by the non-profit Open Information Security Foundation which, along with feedback and support from the community, has made Suricata what it is today. In this talk we will discuss various aspects of modern Suricata, such as deployment, alerting, rule writing, compilation, protocols, lua, and more. Join us for a look into where Suricata has been, what it does today, and where it's going to go in the future.
Enterprise Open Source Intelligence GatheringTom Eston
Presented at the Ohio Information Security Summit, October 30, 2009.
What does the Internet say about your company? Do you know what is being posted by your employees, customers, or your competition? We all know information or intelligence gathering is one of the most important phases of a penetration test. However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.
This presentation will cover what the risks are to an organization regarding publicly available open source intelligence. How can your enterprise put an open source intelligence gathering program in place without additional resources or money. What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications. Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited. Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.
This is the slides of the online talk given at @NullBhopal. This introduces people to Open Source INTelligence and their uses in daily life and pentesting.
Building Business Service Intelligence with ITSISplunk
This document provides instructions for setting up Splunk IT Service Intelligence (ITSI) before participating in a hands-on workshop. It includes steps to download presentation materials, sign up for a free ITSI sandbox account, and test access to the sandbox. The agenda for the workshop is also outlined, covering introductions, fundamentals of using Splunk for IT troubleshooting, an introduction to IT service intelligence, service intelligence design practices, a hands-on session, and next steps. Key aspects of service intelligence like defining services, key performance indicators (KPIs), and service health scores are also briefly introduced.
Understanding Penetration Testing & its Benefits for OrganizationPECB
This topic will cover the most important part related the penetration testing and the importance of its implementation on the organization. Considering it as a good tool for companies to deal with information security vulnerabilities, it is becoming significant part for companies to develop it.
Main point that will be covered:
• Overview of Penetration Testing
• Purpose of Penetration testing and benefits
• What are the Rules of Engagement (White, Black and Grey Box Testing)
• Penetration Testing and Phases
Presenter:
Christie Oso is Managing Principal Information Security consultant and trainer at Intex IT. She is also responsible for Risk Management, Vulnerability Assessment, and Penetration Testing. She holds certification on CISSP, CISM, CEH, ISO 27001 LA, ISO 27005 Risk Manager,
Link of the recorded session published on YouTube: https://youtu.be/lyqOJmC94vg
This document discusses open source intelligence (OSINT) and how it can be used to gather information from publicly available sources to produce actionable intelligence. It provides examples of how OSINT can be used for corporate security purposes like finding breaches, leaked credentials, or rogue employees. It also lists several tools that can be used for OSINT like Robtex, PassiveRecon, Maltego, GeoStalker, and FBStalker. It notes that while OSINT is not always actively used by penetration testers, it can provide valuable information when applied to a real pentest. The document emphasizes that OSINT is more than just manual data gathering and that understanding what attackers know about an organization is important.
Office 365 related incidents are at an all time high, and despite the high adoption rates across industries, most companies still lack the ability to enforce proper security controls and they also lack the knowledge to respond to incidents quickly and effectively.
In this presentation, I will discuss attacker patterns in O365 environments, how to collect the data you need during an incident, and how to respond to questions from CISOs and lawyers, and tell some Incident Response war stories along the way. We will also look into some of the new techniques attackers are using to perform things like MFA bypass, new features that Microsoft is rolling out to assist Incident Responders (such as MailItemsAccessed operations), and ways to automate and prepare for such an attack.
Re-upload of updated version in September 2019; originally presented in April 2019.
Office 365 related incidents are at an all time high, and despite the high adoption rates across industries, most companies still lack the ability to enforce proper security controls and they also lack the knowledge to respond to incidents quickly and effectively.
In this presentation, I will discuss attacker patterns in O365 environments, how to collect the data you need during an incident, and how to respond to questions from CISOs and lawyers, and tell some Incident Response war stories along the way. We will also look into some of the new techniques attackers are using to perform things like MFA bypass, new features that Microsoft is rolling out to assist Incident Responders (such as MailItemsAccessed operations), and ways to automate and prepare for such an attack.
This document introduces tools for open source intelligence (OSINT) including Shodan, Recon-ng, FOCA, and Maltego. It provides an overview of each tool, including their purpose and basic usage. Shodan is an internet search engine that allows searching devices connected over the internet. Recon-ng is a web reconnaissance framework for OSINT. FOCA extracts metadata from files. Maltego is an OSINT application that extracts and visually represents relationships in extracted data through entities, transforms, and machines. The document demonstrates features of each tool and provides resources for OSINT.
The document discusses open source intelligence (OSINT), including what it is, how it is used, techniques for gathering it, and tools that can be used. OSINT involves collecting publicly available data for intelligence purposes. It is produced from public sources and addresses specific intelligence needs. Security professionals use OSINT to identify vulnerabilities in organizations from accidental information leaks online or exposed assets. However, threat actors also use OSINT to find targets and vulnerabilities to exploit. The document recommends using OSINT proactively to find and address weaknesses before threats actors do. It provides examples of tools like Excel, OSINT Framework, Github search, and Wappalyzer that can be used to search public data and identify technical details about organizations and vulnerabilities.
The Internet is a fun place to be, but it is full of dangers too.This presentation helps you understand:
a. Types of Threats on the Internet
b. The Dos of Internet Security
c. The Don'ts of Internet Security
From email address to phone number, a new OSINT approachMartin Vigo
Email addresses are one of our most public piece of PII. We
are confortable sharing it with strangers, publishing it on the
internet and it is generally our public way of communicating.
However, when it comes to phone numbers things change. We are more
selective with who we share it with, mostly because receiving
unsolicited phone calls is much more invasive. There are also security
implications when making your phone number publicly available. SS7
attacks, SIM swapping, phishing and scam calls are just a few of the
threats that originate from the target’s phone number.
What if it were possible to obtain someone’s phone number by only
knowing their email address? Beyond the criminal advantage, it could
be very useful to investigators, red teams and OSINT lovers.
In this talk, I will discuss techniques which when combined will let
you discover someone’s phone number via their email address. I will
also demo and release a tool that helps automate the process.
This document discusses the need for intrusion detection systems (IDS) and different types of IDS. It notes that insider threats account for a significant percentage of data breaches. IDS can help mitigate risks from unauthorized access by monitoring for attacks, detecting system misconfigurations, and identifying abnormal user activity. The document outlines two main IDS techniques - anomaly detection and signature-based detection - and describes host-based and network-based IDS. It also discusses challenges in implementing IDS such as false positives, false negatives, and ensuring appropriate follow up on alerts.
This document discusses packet sniffing and ARP poisoning on a local area network (LAN). It begins by explaining that packet sniffing involves monitoring all network packets and putting the network card into promiscuous mode. It then discusses how ARP works to convert IP addresses to MAC addresses and maintains an ARP cache. The document goes on to explain how ARP poisoning, a type of attack, works by sending falsified ARP messages to associate the attacker's MAC address with a legitimate IP address, allowing the attacker to intercept network traffic. It provides an example of using the tool Cain and Abel to conduct ARP poisoning on a sample LAN to sniff usernames and passwords entered on a website.
The document discusses a rootkit that was discovered on a computer after inserting a Sony music CD protected with DRM software. The rootkit was found to be related to the DRM software from First 4 Internet called XCP that was installed without consent in order to enforce the CD's copy restrictions. The software cloaked files and processes and was found to scan running processes, compromising privacy and system performance. No uninstallation method was provided.
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARIBGA Cyber Security
Yazı kısaca Microsoft SQL Server bulunan bir ağ içerisinde hedef veritabanı üzerinde keşif çalışmaları nasıl yapılır, yetkili hesap bilgisi nasıl ele geçirilir, ele geçirilen hesap ile diğer hesapların parola özetleri nasıl ele geçirilir, yetkisiz hesap ile nasıl hak yükseltilir ve ele geçirilen hesap ile işletim sistemi nasıl ele geçirilir sorularına cevap verecek şekilde ve bu konuda fikir vermesi amacıyla hazırlanmıştır.
Splunk for Enterprise Security featuring User Behavior Analytics Splunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
DNS hijacking using cloud providers – No verification neededFrans Rosén
This is my talk from OWASP Appsec EU and also Security Fest 2017.
A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.
Malicious Url Detection Using Machine Learningsecurityxploded
This document discusses using machine learning to detect malicious URLs. It proposes extracting various features from URLs, including querying blacklists, domain registration information, host properties, and lexical features of the URL. These features are then used to train classifiers like logistic regression to distinguish benign from malicious URLs. The approach is shown to achieve over 86.5% accuracy in detecting malicious URLs using a diverse set of over 18,000 features, performing better than blacklists alone. Future work includes scaling the approach for deployment and incorporating webpage content analysis.
Splunk is like an iceberg, on the surface we see the major components: indexers, search heads, license master, cluster master but under the water line we have a huge number of forwarders collecting and aggregating data streams. These forwarders are the foundations of any installation and configuration issues translate into problems with alerts, search performance, cluster stability and scaling out. This talk shows you to various ways to measure the efficiency of data collection and how to improve it. Prepare for lots of complex searches to identify common problems and charts that show good and bad. The talk aims to revolutionise how you think about forwarders and data collection in Splunk and turbo charge your platform performance and improve stability.
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
Having just celebrated it's 10th birthday, Suricata has learned a lot about monitoring network traffic during the past decade. Suricata today is more than IDS/IPS— it is also a metadata creating, lua scripting, multi threaded, json logging, rule alerting, network security monitoring beast. Development for Suricata is funded by the non-profit Open Information Security Foundation which, along with feedback and support from the community, has made Suricata what it is today. In this talk we will discuss various aspects of modern Suricata, such as deployment, alerting, rule writing, compilation, protocols, lua, and more. Join us for a look into where Suricata has been, what it does today, and where it's going to go in the future.
Enterprise Open Source Intelligence GatheringTom Eston
Presented at the Ohio Information Security Summit, October 30, 2009.
What does the Internet say about your company? Do you know what is being posted by your employees, customers, or your competition? We all know information or intelligence gathering is one of the most important phases of a penetration test. However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.
This presentation will cover what the risks are to an organization regarding publicly available open source intelligence. How can your enterprise put an open source intelligence gathering program in place without additional resources or money. What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications. Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited. Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.
This is the slides of the online talk given at @NullBhopal. This introduces people to Open Source INTelligence and their uses in daily life and pentesting.
Building Business Service Intelligence with ITSISplunk
This document provides instructions for setting up Splunk IT Service Intelligence (ITSI) before participating in a hands-on workshop. It includes steps to download presentation materials, sign up for a free ITSI sandbox account, and test access to the sandbox. The agenda for the workshop is also outlined, covering introductions, fundamentals of using Splunk for IT troubleshooting, an introduction to IT service intelligence, service intelligence design practices, a hands-on session, and next steps. Key aspects of service intelligence like defining services, key performance indicators (KPIs), and service health scores are also briefly introduced.
Understanding Penetration Testing & its Benefits for OrganizationPECB
This topic will cover the most important part related the penetration testing and the importance of its implementation on the organization. Considering it as a good tool for companies to deal with information security vulnerabilities, it is becoming significant part for companies to develop it.
Main point that will be covered:
• Overview of Penetration Testing
• Purpose of Penetration testing and benefits
• What are the Rules of Engagement (White, Black and Grey Box Testing)
• Penetration Testing and Phases
Presenter:
Christie Oso is Managing Principal Information Security consultant and trainer at Intex IT. She is also responsible for Risk Management, Vulnerability Assessment, and Penetration Testing. She holds certification on CISSP, CISM, CEH, ISO 27001 LA, ISO 27005 Risk Manager,
Link of the recorded session published on YouTube: https://youtu.be/lyqOJmC94vg
This document discusses open source intelligence (OSINT) and how it can be used to gather information from publicly available sources to produce actionable intelligence. It provides examples of how OSINT can be used for corporate security purposes like finding breaches, leaked credentials, or rogue employees. It also lists several tools that can be used for OSINT like Robtex, PassiveRecon, Maltego, GeoStalker, and FBStalker. It notes that while OSINT is not always actively used by penetration testers, it can provide valuable information when applied to a real pentest. The document emphasizes that OSINT is more than just manual data gathering and that understanding what attackers know about an organization is important.
Office 365 related incidents are at an all time high, and despite the high adoption rates across industries, most companies still lack the ability to enforce proper security controls and they also lack the knowledge to respond to incidents quickly and effectively.
In this presentation, I will discuss attacker patterns in O365 environments, how to collect the data you need during an incident, and how to respond to questions from CISOs and lawyers, and tell some Incident Response war stories along the way. We will also look into some of the new techniques attackers are using to perform things like MFA bypass, new features that Microsoft is rolling out to assist Incident Responders (such as MailItemsAccessed operations), and ways to automate and prepare for such an attack.
Re-upload of updated version in September 2019; originally presented in April 2019.
Office 365 related incidents are at an all time high, and despite the high adoption rates across industries, most companies still lack the ability to enforce proper security controls and they also lack the knowledge to respond to incidents quickly and effectively.
In this presentation, I will discuss attacker patterns in O365 environments, how to collect the data you need during an incident, and how to respond to questions from CISOs and lawyers, and tell some Incident Response war stories along the way. We will also look into some of the new techniques attackers are using to perform things like MFA bypass, new features that Microsoft is rolling out to assist Incident Responders (such as MailItemsAccessed operations), and ways to automate and prepare for such an attack.
The document outlines various attack techniques for compromising Office 365 environments, including reconnaissance, credential harvesting, persistence, and data exfiltration. It provides references to tools that can be used to enumerate users, conduct password spraying, bypass two-factor authentication through phishing, search mailboxes for sensitive information, and establish backdoors on endpoints. The goal of the techniques appears to be gaining and maintaining unauthorized access to Office 365 accounts and data.
Office365 in today's digital threats landscape: attacks & remedies from a hac...Benedek Menesi
Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
Office 365 in today's digital threats landscape: attacks & remedies from a ha...panagenda
After the positive feedback of Ben Menesi's session at the 2019 SPS Ottawa, he was asked to repeat it at Salt Lake M365 Friday in February 2020.
Abstract: Office 365 environments are very attractive targets for attackers. So, it's never been more important to understand how its security structure works, and how to best configure it.
In this in-depth session, we'll run through real-time attack scenarios and examine common attack vectors. And then we'll explore the various defense capabilities of Office 365, the MS Graph API, and Azure AD. We'll deep-dive into external sharing, authentication options, third-party application security (what apps should and shouldn't be able to do), and even some do's and don'ts regarding Azure AD endpoints and authorization mechanisms.
You'll walk away with a solid understanding of how to use the Office 365 defense tools at your disposal, such as the Attack Simulator and Threat Intelligence, as well as how they relate to real-world attacks.
https://www.linkedin.com/in/benedekmenesi/
Better together: Enterprise Vault.cloud and Microsoft Office 365proutley
This document discusses how Symantec Enterprise Vault.cloud can add value when used in conjunction with Microsoft Office 365. It begins with an overview of Office 365 and its archiving and eDiscovery capabilities. It then provides an overview of Enterprise Vault.cloud and its features. The remainder of the document uses scenarios to demonstrate how Enterprise Vault.cloud can help satisfy compliance requirements, remove the eDiscovery burden from IT, accelerate eDiscovery searches, and make it easier for users to find and restore deleted emails, providing advantages over relying solely on Office 365.
Symantec Enterprise Vault.cloud for Microsoft Office 365 Better together [EN]getsix Group
This document discusses how Symantec Enterprise Vault.cloud can add value to a Microsoft Office 365 deployment by providing immutable archiving, advanced eDiscovery capabilities, and unlimited storage. It presents four scenarios where Enterprise Vault.cloud offers advantages like ensuring all email content is captured for compliance, removing the eDiscovery burden from IT staff, accelerating large data searches, and allowing users to easily restore deleted messages. Enterprise Vault.cloud integrates with Office 365 through features like Active Directory synchronization and single sign-on.
This talk will be most beneficial to beginner (to advanced) developers and system administrators. During this session we'll explain how to configure your own mail servers to work with Odoo, whether it's for incoming or outgoing mails, on-premise or on the cloud, or with your own domain or not.
You'll learn about smtp, SPF, DKIM, and all those acronyms that come up when you talk to someone about mail servers. You'll also learn about some specific mail providers, like Office365, and how to deal with them in regards to Odoo.
The document describes the Phishing Intelligence Engine (PIE), an active defense PowerShell framework for Office 365. PIE aims to automate responses to phishing attacks by integrating with Office 365, threat intelligence feeds, and other tools. It allows automated actions like email response, case generation, evidence collection, and quarantining mail. PIE also analyzes click data and sender patterns to track attackers. The presentation demonstrates how PIE streamlines incident response and provides metrics for analyzing phishing attack trends. Future plans include expanding support and integrating with additional security tools.
The document outlines common security issues that programmers face such as SQL injection, cross-site scripting, directory traversal, and insecure direct object references, and provides best practices for avoiding these issues such as input validation, output encoding, secure configuration of platforms and frameworks, and keeping software updated. It also warns that users cannot always be trusted and that validation must occur on the server-side as well as client-side.
This document discusses hybrid setups between on-premise SharePoint and Office 365. It describes different hybrid configurations including one-way outbound, one-way inbound, and two-way. It outlines the necessary components for a hybrid setup including reverse proxies, identity providers, directory synchronization, and configuring SharePoint. Troubleshooting tips are provided for issues with queries between environments.
This document discusses hunting for vulnerabilities across interconnected applications. It describes two cases where the author found multiple vulnerabilities by exploring dependencies between applications. In the first case, they discovered vulnerabilities by interacting with a desktop application and related web applications from the same company, finding 5 vulnerabilities including XSS issues and information disclosures. In the second case, they used a single sign-on system across multiple applications to introduce persistent XSS vulnerabilities. The document advocates considering how applications integrate and interact to uncover "inter-application vulnerabilities" that may not be found through isolated testing.
"Inter- application vulnerabilities. hunting for bugs in secure applications"...PROIDEA
For the last couple of years I have been participating in various public and private bug bounty programmes including United Airlines, ING, RBS, EU or Synack. Usually these programmes are run by security-mature companies which take a lot of effort to make sure that their applications are secure. So how is that even possible that they are still vulnerable to well-known issues like XSS or IDOR which should not exist in 2019 anymore? Presentation will share information about common “inter-application” vulnerabilities encountered during testing process and emphasize the need of appropriate security testing at each stage of system life cycle. During 45 minutes long talk I will present several real-life examples of "inter-application" vulnerabilities, explain the root causes of these issues and propose steps which could be taken to avoid these vulnerabilities in the future.
The document provides information about setting up and using PowerShell for Office 365 administration. It includes:
1. A 4-step process for setting up the Office 365 PowerShell environment including installing binaries, loading modules, connecting to Office 365, and using the PowerShell commands.
2. Information on using the Import-CSV and Foreach-Object commands to import user data from a CSV file into Office 365.
3. Details about advanced Office 365 user management techniques including using Active Directory groups to assign licenses and explanations of the Get-MsolUser commandlet and its parameters.
O365Engage17 - Making sense of the office 365 audit data martNCCOMMS
This document summarizes a presentation about the Office 365 audit data mart. It discusses how auditing was previously done separately for each workload, but is now unified across workloads in Office 365. It describes what events are audited, how to access the audit logs through PowerShell, the Security & Compliance Center, and APIs. It also covers audit data storage, management activity APIs, enabling auditing, and using alerts and insights.
This presentation outlines a 10 wave methodology for securing a rogue SharePoint environment. It begins with backing up the server, removing old vendor access, resetting all user passwords, disabling unused accounts, updating service accounts, reviewing firewall rules and network traffic, changing email settings, addressing hardcoded values in workflows, applying security trimming, conducting quick security sweeps, and adding analytics tracking. The goal is to systematically document the environment, remove all old access, update accounts and permissions, and put monitoring in place to harden security. Regular communication with end users is also emphasized.
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial GuideStephan Bisser
- The document discusses Office 365 tenant to tenant migration and provides guidance on scenarios companies may face when migrating tenants, such as mergers or spin-offs.
- It outlines the key components that can be migrated including Azure Active Directory, Exchange Online, SharePoint Online, and Skype for Business Online. Permissions must also be migrated.
- Third party tools are recommended for migrating components like Exchange Online and SharePoint Online due to limitations in Microsoft's native migration capabilities. Planning and testing are important to a successful migration.
So you’ve inherited a SharePoint environment and need it secure, ASAP. The talk explains how to do this in a methodical way, to address all the levels of SharePoint security. This is ideal for the SharePoint administrator who needs to address the server security realm and the security officer who needs to understand SharePoint security.
Similar to Office 365 incident Response: BSides Vancouver 2018 (20)
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Ukraine
Під час доповіді відповімо на питання, навіщо потрібно підвищувати продуктивність аплікації і які є найефективніші способи для цього. А також поговоримо про те, що таке кеш, які його види бувають та, основне — як знайти performance bottleneck?
Відео та деталі заходу: https://bit.ly/45tILxj
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Discover the Unseen: Tailored Recommendation of Unwatched ContentScyllaDB
The session shares how JioCinema approaches ""watch discounting."" This capability ensures that if a user watched a certain amount of a show/movie, the platform no longer recommends that particular content to the user. Flawless operation of this feature promotes the discover of new content, improving the overall user experience.
JioCinema is an Indian over-the-top media streaming service owned by Viacom18.
"Scaling RAG Applications to serve millions of users", Kevin GoedeckeFwdays
How we managed to grow and scale a RAG application from zero to thousands of users in 7 months. Lessons from technical challenges around managing high load for LLMs, RAGs and Vector databases.
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
In our second session, we shall learn all about the main features and fundamentals of UiPath Studio that enable us to use the building blocks for any automation project.
📕 Detailed agenda:
Variables and Datatypes
Workflow Layouts
Arguments
Control Flows and Loops
Conditional Statements
💻 Extra training through UiPath Academy:
Variables, Constants, and Arguments in Studio
Control Flow in Studio
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
From Natural Language to Structured Solr Queries using LLMsSease
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
2. @ParsonsProject
Intro/Disclaimer
+ Alex Parsons
− Consultant in Incident Response for Stroz Friedberg
− Lives in Seattle; from Pennsylvania
− Knows a lot about Microsoft technologies and Office 365
− Wrote one of the first papers on Windows 10 Forensics
− Doesn’t know everything about Office 365
− Used to own a Windows Phone
− Opinions expressed are solely my own and do not
express the views or opinions of Stroz Friedberg
@ParsonsProject
3. @ParsonsProject
Goals
+ Go over:
− O365 Basics
− Compromise Basics
− Collection Details
− Post-incident Process
− Learn from my pain
− We use a basic compromise
example, but applicable for
other cases.
Assumption is you don’t have a SIEM connection in place.
4. @ParsonsProject
TL;DR
+ Place holds on your compromised Mailboxes
+ Check your Azure Sign in Logs
+ Export your Audit Logs correctly
+ Use HAWK:
− https://www.powershellgallery.com/packages/HAWK/1.0.0
+ Use Azure AD Conditional Access for prevention
+ Enable Multi-Factor Authentication (MFA)
+ Enable Multi-Factor Authentication (MFA)
+ Enable Multi-Factor Authentication (MFA)
5. @ParsonsProject
What is Office 365?
+ Simple Idea from 2010
− Bring Microsoft’s on-premise servers to the cloud
− Mail Servers
− SharePoint Servers
− Microsoft Lync/Skype for Business
− Add Office Web Apps (like Google Docs)
− Oh, and offer regular Office 2010 too
5
6. @ParsonsProject
Wait, but what IS SharePoint?
+ Whatever you want it to be! (And it’s normally terribly designed)
+ Custom Websites
+ Custom Forms
+ Team Sites
+ OneDrive for Business
7. @ParsonsProject
Does O365 do anything interesting though?
+ Since 2010 Microsoft has done a LOT
− More services are becoming O365 only
− OneDrive
− Microsoft Teams
− Yammer
− Planner
− Sway
− Flow
− Stream
− Much, much more
9. @ParsonsProject
Compromise Lifecycle
Attacker Sends
Phish/Gets in via Brute
Force
• User Clicks on link,
gives away credentials.
Attacker Sends more
phishing e-mails from
trusted accounts, adds
Mailbox Rules
• Additional users click on
phishing links
• Users don’t see e-mails
because the inbox rules
Attacker Sends Wire
Transfer request from
compromised user. Adds
Mailbox Rules
• Receiver of Wire
Transfer request trusts
the e-mail, sends the
money
Attacker uses all
Compromised accounts
to spread phishing
Campaign
• Customers/Clients click
on phishing links and
the cycle continues
New-InboxRule -StopProcessingRules:$True -
AlwaysDeleteOutlookRulesBlob:$False -Force:$False -Name ...
MarkAsRead:$True -DeleteMessage:$True -
SubjectOrBodyContainsWords "delivery failure"; "don't
open";"you have been
hacked";error;spam;hacked;docusign;10/08/2017; wire
Day 1 Day 5
11. @ParsonsProject
Scenario
+ Client calls you in, states that an Office 365 account was
compromised. What is the first thing you should do?
− Place a hold on the affected user’s mailbox
− Collect Azure AD Sign In Logs (if possible)
− Scan for Malicious Inbox Rules
− Acquire Audit Logs
Time To Live for logs in default environments
− Azure Active Directory Sign-ins: 2-7 days (Depends on what you pay for)
− Deleted Mail 14 days (Unless you place a hold on the mailbox)
− Audit Logs: 90 days
− Trace Logs: 90 Days
− Exchange Audit Logs: 0 days, 90 days if enabled
13. @ParsonsProject
Azure Active Directory Sign-Ins
+ Very quick win if data within your time frame is there. (See TTL)
+ Every O365 environnent has Azure Active Directory
+ Look for foreign logons
+ Acquire AD Sign-in logs @ portal.azure.com
14. @ParsonsProject
Ensure Attacker is out of environment
+ Check All Current Inbox/Mailbox rules
+ Check to see if any Current Inbox Rules are forwarding to an attacker
(Script)
+ Collect Last Password Change Info (Script)
+ Check if any mailboxes are currently being forwarded (Link)
16. @ParsonsProject
Audit Logs
+ Audit Logs detail user activity across the entire O365 environment
+ Office 365 Audit Logs are very useful but very frustrating
+ Audit Logs are not enabled by default
+ Exchange/Mail related logs are not enabled by default
+ JSON with nested JSON
17. @ParsonsProject
Mailbox/Exchange Audit Logs
+ Not enabled by default
Action Description Admin Delegate Owner
Copy An item is copied to another folder. Yes No No
Create An item is created in the Calendar,
Contacts, Notes, or Tasks folder in
the mailbox; for example, a new
meeting request is created. Note
that message or folder creation isn't
audited.
Yes* Yes* Yes
FolderBind A mailbox folder is accessed. Yes* Yes** No
HardDelete An item is deleted permanently from
the Recoverable Items folder.
Yes* Yes* Yes
MailboxLogin The user signed in to their mailbox. No No Yes***
MessageBind An item is accessed in the reading
pane or opened.
Yes No No
Move An item is moved to another folder. Yes* Yes Yes
MoveToDeletedItems An item is moved to the Deleted
Items folder.
Yes* Yes Yes
SendAs A message is sent using Send As
permissions.
Yes* Yes* No
SendOnBehalf A message is sent using Send on
Behalf permissions.
Yes* Yes No
SoftDelete An item is deleted from the Deleted
Items folder.
Yes* Yes* Yes
Update An item's properties are updated. Yes* Yes* Yes
Source: https://technet.microsoft.com/en-
us/library/ff461937(v=exchg.160).aspx
18. @ParsonsProject
Enabling Mailbox Audit Logs
Get-Mailbox -ResultSize Unlimited -Filter
{RecipientTypeDetails -eq "UserMailbox"} |
Set-Mailbox -AuditEnabled $true –AuditOwner
“Create, Update, HardDelete, MailboxLogin,
Move, MoveToDeletedItems, SoftDelete”
Important: You will have to run this script on a schedule as this
enable mailbox auditing settings for all current users
21. @ParsonsProject
Pivoting with Audit Log Analysis
+ Take your Audit logs and do some IP lookups
− Identify suspicious countries
− Audit Logs (Protection.Office.com)
− Azure AD Sign In Logs (Portal.Azure.com)
− Identify suspicious Ips
− Proxy Providers
− Cloud Providers
− Identify common User Agents
","ClientIPAddress":“187.36.51.3
","ClientInfoString":"Client=/o
wa/SuiteServiceProxy.aspx;
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/58.0.3029.110
Safari/537.36 Edge/16.16299"
23. @ParsonsProject
Acquiring Audit Logs (Without a SIEM)
1. Never trust the Audit log GUI
2. Never trust the Audit log GUI
3. Never ever trust the Audit Log GUI
4. ALWAYS Acquire Audit logs via PowerShell
Audit Log GUI Issues
− It will only export up to 50,000 lines per request and will not warn you
− It sometimes won’t get all of the audit logs and won’t tell you
− It sometimes will lie to you on how far back it can acquire audit logs
Search-UnifiedAuditLog -Operations -StartDate 9/1/2017 -EndDate 10/1/2017 -UserIds
aparsons@contoso.com -ResultSize 5000 | Export-Csv “aparsons.csv”
Note: This command and others like it require you to connect to the Exchange Online shell via Powershell first (Tutorial)
25. @ParsonsProject
Data Learned from Pain
+ Via PowerShell, you can’t acquire more than 10,000 records at a time, but
you can do it sequentially and it will show you if you don’t acquire them all
more clearly.
+ If you request too many logs in a short period of time Microsoft will lock you
out for a few minutes. Check out Start-RobustCloudCommand.ps1
+ If you use the GUI, you are limited to 50,000 events and no verification that
you have all of the logs
+ Search for 90 days prior even if the client didn’t have audit logs enabled.
+ Overall, very frustrating process without a SIEM connection
26. @ParsonsProject
Useful Audit Log searches
+ You can use PowerShell to search all audit logs that contain certain IP
addresses (not 100% effective though):
Search-UnifiedAuditLog -ResultSize 5000 -StartDate $startDate -EndDate
$endDate -IPAddresses 45.77.147.170, 187.36.51.*| Export-Csv
"MaliciousIP.csv"
+ You can also use PowerShell to search all audit logs for Mailbox Rule
events to search for additional attacker activity (Only if Exchange
logging has ben enabled by the client)
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations
*-InboxRule | export-csv "AuditLogs_FullInboxRules.csv"
27. @ParsonsProject
Quick Recap: What do we know?
+ With the data collected so far we should know the following:
− Users that were compromised (If the attacker uses obvious foreign IP
addresses or Proxy/VPN solutions)
− Whether the attacker is currently in the environment or has malicious
Mailbox Rules enabled
− What mailbox rules (if any) the attacker may have created (If the client
had mailbox logging enabled)
− This can also help generate a list of users that were targeted.
+ Unanswered Questions
− How many e-mails were sent by the attacker while the user was
compromised?
− How was the user originally compromised?
29. @ParsonsProject
HAWK
+ PowerShell Module released in December 2017
+ Made by Microsoft Support Engineers
+ HAWK will:
− Parse successful logins and resolve the locations
− Export Exchange related Audit Logs
− Export Current Inbox Rules per user
− Export Historical Inbox Rules
− Export Permissions
− Much much more
+ HAWK will NOT:
− Collect all of your audit logs for you
30. @ParsonsProject
HAWK
+ Process (Take a picture of this)
1. Install-Module –Name HAWK
2. Import-Module HAWK
3. Connect to Exchange Via PowerShell
4. Start-HawkTenantInvestigation
5. Start-HawkUserInvestigation
User Investigation Export Subset
Tenant Investigation Export Subset
31. @ParsonsProject
Recap: Quick Wins
+ http://portal.azure.com
− Impossible Sign-ins
− Suspicious Logins
− Collect ALL sign-in logs
+ Run HAWK
− Find Malicious Mailbox Rules
− Get Locations of logins from Audit Logs
32. @ParsonsProject
Finding Phishing E-mail
+ Look for E-mail within 5 days prior to the first malicious login
+ Often something like “John Smith has Shared a Document With you”
+ Attackers often delete and purge e-mails; Default TTL is 14 days
+ If e-mail is no longer present
− Search the Trace Logs
− Trace Logs are detailed logs regarding where the e-mail was sent from,
and includes valuable IP addresses, however they do not have the
contents. (Collection Tutorial)
+ If you need to search for more e-mails across the entire company, you
can do that in the Search pane of the eDiscovery case (Tutorial)
Content Searches will also work exactly the same.
+ Check out PIE! https://github.com/LogRhythm-Labs/PIE
33. @ParsonsProject
Finding the Fraud e-mail
+ Office 365 sometimes keeps track of the IP address in the “x-
originating-ip” header of the e-mail. Scanning the IP can help find
what e-mails were sent fraudulently
+ Process for finding malicious IPs in a PST file
− Process the PST in X-ways
− Copy/export the processed EML files into a folder
− Run an automated script to lookup IP addresses
− Search for suspicious IPs in the report
− Use X-ways/Grep to then search for the identified IPs within the PST
34. @ParsonsProject
Preventative Techniques
+ Enable MFA
+ Look into Azure AD Conditional Access
− Can automatically block suspicious logins (if configured)
− Can blacklist IP subnets and locations
− Catch: Requires Azure Active Directory Premium P2
Tip/Notes: Pair your title slide with any agenda slide.
To remove these notes from the deck, select File > Inspect Presentation…Check for Issues > Inspect Document > check last option, Presentation Notes > Inspect > Remove All
Was a fool and owned a Windows Phone for 5 years
Has too many embarrassing photos
Tip/Notes:
Start here – these are the slides you’ll use most often.
Bullets in text box
Resize header bars left/right as needed