SlideShare a Scribd company logo

Office 365 incident Response: BSides Vancouver 2018

Download as PPTX, PDF
A
Alex Parsons

As adoption for Office 365 increases, so will security incidents that involve Office 365. Despite the high adoption rates across industries, most companies still lack the ability to enforce proper security controls and they also lack the knowledge to respond to incidents quickly and effectively. In this presentation, we will focus on attacker patterns in O365 environments, how to collect the data you need during an incident, and how to respond to common requests and questions, especially during phishing related cases. We will also look into some of the advanced security features Office 365 has to offer and when it would make sense to invest in them.

Technology
1 of 35
Twitter: @ParsonsProject Alex Parsons DFIR Consultant B|Sides Vancouver 2018 OFFICE 365 INCIDENT RESPONSE
@ParsonsProject Intro/Disclaimer + Alex Parsons − Consultant in Incident Response for Stroz Friedberg − Lives in Seattle; from Pennsylvania − Knows a lot about Microsoft technologies and Office 365 − Wrote one of the first papers on Windows 10 Forensics − Doesn’t know everything about Office 365 − Used to own a Windows Phone  − Opinions expressed are solely my own and do not express the views or opinions of Stroz Friedberg @ParsonsProject
@ParsonsProject Goals + Go over: − O365 Basics − Compromise Basics − Collection Details − Post-incident Process − Learn from my pain − We use a basic compromise example, but applicable for other cases. Assumption is you don’t have a SIEM connection in place.
@ParsonsProject TL;DR + Place holds on your compromised Mailboxes + Check your Azure Sign in Logs + Export your Audit Logs correctly + Use HAWK: − https://www.powershellgallery.com/packages/HAWK/1.0.0 + Use Azure AD Conditional Access for prevention + Enable Multi-Factor Authentication (MFA) + Enable Multi-Factor Authentication (MFA) + Enable Multi-Factor Authentication (MFA)
@ParsonsProject What is Office 365? + Simple Idea from 2010 − Bring Microsoft’s on-premise servers to the cloud − Mail Servers − SharePoint Servers − Microsoft Lync/Skype for Business − Add Office Web Apps (like Google Docs) − Oh, and offer regular Office 2010 too 5
@ParsonsProject Wait, but what IS SharePoint? + Whatever you want it to be! (And it’s normally terribly designed) + Custom Websites + Custom Forms + Team Sites + OneDrive for Business
@ParsonsProject Does O365 do anything interesting though? + Since 2010 Microsoft has done a LOT − More services are becoming O365 only − OneDrive − Microsoft Teams − Yammer − Planner − Sway − Flow − Stream − Much, much more
@ParsonsProject Fun Fact
@ParsonsProject Compromise Lifecycle Attacker Sends Phish/Gets in via Brute Force • User Clicks on link, gives away credentials. Attacker Sends more phishing e-mails from trusted accounts, adds Mailbox Rules • Additional users click on phishing links • Users don’t see e-mails because the inbox rules Attacker Sends Wire Transfer request from compromised user. Adds Mailbox Rules • Receiver of Wire Transfer request trusts the e-mail, sends the money Attacker uses all Compromised accounts to spread phishing Campaign • Customers/Clients click on phishing links and the cycle continues New-InboxRule -StopProcessingRules:$True - AlwaysDeleteOutlookRulesBlob:$False -Force:$False -Name ... MarkAsRead:$True -DeleteMessage:$True - SubjectOrBodyContainsWords "delivery failure"; "don't open";"you have been hacked";error;spam;hacked;docusign;10/08/2017; wire Day 1 Day 5
@ParsonsProject When most Incidents Start
@ParsonsProject Scenario + Client calls you in, states that an Office 365 account was compromised. What is the first thing you should do? − Place a hold on the affected user’s mailbox − Collect Azure AD Sign In Logs (if possible) − Scan for Malicious Inbox Rules − Acquire Audit Logs Time To Live for logs in default environments − Azure Active Directory Sign-ins: 2-7 days (Depends on what you pay for) − Deleted Mail 14 days (Unless you place a hold on the mailbox) − Audit Logs: 90 days − Trace Logs: 90 Days − Exchange Audit Logs: 0 days, 90 days if enabled
@ParsonsProject Placing a hold on the Mailbox + TechNet Link + If you download you must use Microsoft Edge/IE
@ParsonsProject Azure Active Directory Sign-Ins + Very quick win if data within your time frame is there. (See TTL) + Every O365 environnent has Azure Active Directory + Look for foreign logons + Acquire AD Sign-in logs @ portal.azure.com
@ParsonsProject Ensure Attacker is out of environment + Check All Current Inbox/Mailbox rules + Check to see if any Current Inbox Rules are forwarding to an attacker (Script) + Collect Last Password Change Info (Script) + Check if any mailboxes are currently being forwarded (Link)
@ParsonsProject Audit Logs Guess which one of these three are enabled by default?
@ParsonsProject Audit Logs + Audit Logs detail user activity across the entire O365 environment + Office 365 Audit Logs are very useful but very frustrating + Audit Logs are not enabled by default + Exchange/Mail related logs are not enabled by default + JSON with nested JSON
@ParsonsProject Mailbox/Exchange Audit Logs + Not enabled by default Action Description Admin Delegate Owner Copy An item is copied to another folder. Yes No No Create An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn't audited. Yes* Yes* Yes FolderBind A mailbox folder is accessed. Yes* Yes** No HardDelete An item is deleted permanently from the Recoverable Items folder. Yes* Yes* Yes MailboxLogin The user signed in to their mailbox. No No Yes*** MessageBind An item is accessed in the reading pane or opened. Yes No No Move An item is moved to another folder. Yes* Yes Yes MoveToDeletedItems An item is moved to the Deleted Items folder. Yes* Yes Yes SendAs A message is sent using Send As permissions. Yes* Yes* No SendOnBehalf A message is sent using Send on Behalf permissions. Yes* Yes No SoftDelete An item is deleted from the Deleted Items folder. Yes* Yes* Yes Update An item's properties are updated. Yes* Yes* Yes Source: https://technet.microsoft.com/en- us/library/ff461937(v=exchg.160).aspx
@ParsonsProject Enabling Mailbox Audit Logs Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true –AuditOwner “Create, Update, HardDelete, MailboxLogin, Move, MoveToDeletedItems, SoftDelete” Important: You will have to run this script on a schedule as this enable mailbox auditing settings for all current users
@ParsonsProject Audit Logs Continued {"CreationTime":"2018-03-12T21:02:46","Id":"b0f7472d-4830-4b7a-8fc8- 08d5425c9b00","Operation":"MailboxLogin","OrganizationId":"88af9a01- 997d-4990-8895- 25d100f62ba5","RecordType":2,"ResultStatus":"Succeeded","UserKey":"10 543BFFD9B5F8EDF","UserType":0,"Version":1,"Workload":"Exchange","User Id":"aparsons@contoso.com","ClientIPAddress":“187.36.51.3","ClientInf oString":"Client=/owa/SuiteServiceProxy.aspx; Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299","ExternalAccess":false,"InternalLogonType":0,"LogonTy pe":0,"LogonUserSid":"S-1-5-21-4210148372-1463556831-2082377497- 6089575","MailboxGuid":"64288e9b-0bfd-42cc-b08f- 0007f8630d51","MailboxOwnerSid":"S-1-5-21-4010148372-1463556831- 2083377497- 6089575","MailboxOwnerUPN":"aparsons@contoso.com","OrganizationName": "stroz.contoso.com","OriginatingServer":"DM5PR17MB1322"}
@ParsonsProject Audit Logs Continued {"CreationTime":"2018-03-12T21:02:41","Id":"701ae50c-7da5-49fd-ccf2- 08d5885c9879","Operation":"FilePreviewed","OrganizationId":"88af9a01-997d-4990- 8895- 25d100f62ba5","RecordType":6,"UserKey":"i:0h.f|membership|1003bffd9b5f8edf@live.com ","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":" 187.36.51.3","ObjectId":"https://contoso- my.sharepoint.com/personal/aparsons_contoso_onmicrosoft_com/Documents/Sensitive data.docx","UserId":"aparsons@contoso.onmicrosoft.com","CorrelationId":"1a708197- 8123-43ec-b593- 1bae34e6432a","EventSource":"SharePoint","ItemType":"File","ListId":"8dd3b323-d4e3- 444d-9b33-adf13a56a411","ListItemUniqueId":"015cb92a-ea29-4bd8-8650- 8d965406047f","Site":"7a952c9d-8c29-471d-8d3a- 9b698639db45","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299","WebId":"577deac0-7c7e-4c60-9525- 942ac37d08ce","SourceFileExtension":"docx","SiteUrl":"https://contoso- my.sharepoint.com/personal/aparsons_contoso_onmicrosoft_com/","SourceFileName":" Sensitive data.docx","SourceRelativeUrl":"Documents"}
@ParsonsProject Pivoting with Audit Log Analysis + Take your Audit logs and do some IP lookups − Identify suspicious countries − Audit Logs (Protection.Office.com) − Azure AD Sign In Logs (Portal.Azure.com) − Identify suspicious Ips − Proxy Providers − Cloud Providers − Identify common User Agents ","ClientIPAddress":“187.36.51.3 ","ClientInfoString":"Client=/o wa/SuiteServiceProxy.aspx; Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"
@ParsonsProject Fun Fact #2 Vancouver 45.40 in Montreal: 39 in Toronto: 31 in
@ParsonsProject Acquiring Audit Logs (Without a SIEM) 1. Never trust the Audit log GUI 2. Never trust the Audit log GUI 3. Never ever trust the Audit Log GUI 4. ALWAYS Acquire Audit logs via PowerShell Audit Log GUI Issues − It will only export up to 50,000 lines per request and will not warn you − It sometimes won’t get all of the audit logs and won’t tell you − It sometimes will lie to you on how far back it can acquire audit logs Search-UnifiedAuditLog -Operations -StartDate 9/1/2017 -EndDate 10/1/2017 -UserIds aparsons@contoso.com -ResultSize 5000 | Export-Csv “aparsons.csv” Note: This command and others like it require you to connect to the Exchange Online shell via Powershell first (Tutorial)
@ParsonsProject Acquiring Audit Logs
@ParsonsProject Data Learned from Pain + Via PowerShell, you can’t acquire more than 10,000 records at a time, but you can do it sequentially and it will show you if you don’t acquire them all more clearly. + If you request too many logs in a short period of time Microsoft will lock you out for a few minutes. Check out Start-RobustCloudCommand.ps1 + If you use the GUI, you are limited to 50,000 events and no verification that you have all of the logs + Search for 90 days prior even if the client didn’t have audit logs enabled. + Overall, very frustrating process without a SIEM connection
@ParsonsProject Useful Audit Log searches + You can use PowerShell to search all audit logs that contain certain IP addresses (not 100% effective though): Search-UnifiedAuditLog -ResultSize 5000 -StartDate $startDate -EndDate $endDate -IPAddresses 45.77.147.170, 187.36.51.*| Export-Csv "MaliciousIP.csv" + You can also use PowerShell to search all audit logs for Mailbox Rule events to search for additional attacker activity (Only if Exchange logging has ben enabled by the client) Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations *-InboxRule | export-csv "AuditLogs_FullInboxRules.csv"
@ParsonsProject Quick Recap: What do we know? + With the data collected so far we should know the following: − Users that were compromised (If the attacker uses obvious foreign IP addresses or Proxy/VPN solutions) − Whether the attacker is currently in the environment or has malicious Mailbox Rules enabled − What mailbox rules (if any) the attacker may have created (If the client had mailbox logging enabled) − This can also help generate a list of users that were targeted. + Unanswered Questions − How many e-mails were sent by the attacker while the user was compromised? − How was the user originally compromised?
@ParsonsProject Surely we could Automate?
@ParsonsProject HAWK + PowerShell Module released in December 2017 + Made by Microsoft Support Engineers + HAWK will: − Parse successful logins and resolve the locations − Export Exchange related Audit Logs − Export Current Inbox Rules per user − Export Historical Inbox Rules − Export Permissions − Much much more + HAWK will NOT: − Collect all of your audit logs for you
@ParsonsProject HAWK + Process (Take a picture of this) 1. Install-Module –Name HAWK 2. Import-Module HAWK 3. Connect to Exchange Via PowerShell 4. Start-HawkTenantInvestigation 5. Start-HawkUserInvestigation User Investigation Export Subset Tenant Investigation Export Subset
@ParsonsProject Recap: Quick Wins + http://portal.azure.com − Impossible Sign-ins − Suspicious Logins − Collect ALL sign-in logs + Run HAWK − Find Malicious Mailbox Rules − Get Locations of logins from Audit Logs
@ParsonsProject Finding Phishing E-mail + Look for E-mail within 5 days prior to the first malicious login + Often something like “John Smith has Shared a Document With you” + Attackers often delete and purge e-mails; Default TTL is 14 days + If e-mail is no longer present − Search the Trace Logs − Trace Logs are detailed logs regarding where the e-mail was sent from, and includes valuable IP addresses, however they do not have the contents. (Collection Tutorial) + If you need to search for more e-mails across the entire company, you can do that in the Search pane of the eDiscovery case (Tutorial) Content Searches will also work exactly the same. + Check out PIE! https://github.com/LogRhythm-Labs/PIE
@ParsonsProject Finding the Fraud e-mail + Office 365 sometimes keeps track of the IP address in the “x- originating-ip” header of the e-mail. Scanning the IP can help find what e-mails were sent fraudulently + Process for finding malicious IPs in a PST file − Process the PST in X-ways − Copy/export the processed EML files into a folder − Run an automated script to lookup IP addresses − Search for suspicious IPs in the report − Use X-ways/Grep to then search for the identified IPs within the PST
@ParsonsProject Preventative Techniques + Enable MFA + Look into Azure AD Conditional Access − Can automatically block suspicious logins (if configured) − Can blacklist IP subnets and locations − Catch: Requires Azure Active Directory Premium P2
@ParsonsProject Conclusion + Questions? + Contact/Follow me on Twitter: @parsonsproject − Will post this presentation on my Twitter

Recommended

Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018
Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018
Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018
Kroll
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
Joseph Bugeja
 
Mobile security
Mobile security Mobile security
Mobile security
Himmatsingh Rajpurohit
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasures
karanwayne
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
Deep Shankar Yadav
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Log yönetimi ve siem
Log yönetimi ve siemLog yönetimi ve siem
Log yönetimi ve siem
Ertugrul Akbas
 
OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source Intelligence
Philippe Lin
 

Recommended

Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018
Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018
Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018
Kroll
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
Joseph Bugeja
 
Mobile security
Mobile security Mobile security
Mobile security
Himmatsingh Rajpurohit
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasures
karanwayne
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
Deep Shankar Yadav
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Log yönetimi ve siem
Log yönetimi ve siemLog yönetimi ve siem
Log yönetimi ve siem
Ertugrul Akbas
 
OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source Intelligence
Philippe Lin
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
Sudhanshu Chauhan
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
Priyanka Aash
 
Log yönetimi ve siem projelerindeki en önemli kriter EPS değerleri
Log yönetimi ve siem projelerindeki en önemli kriter EPS değerleriLog yönetimi ve siem projelerindeki en önemli kriter EPS değerleri
Log yönetimi ve siem projelerindeki en önemli kriter EPS değerleri
Ertugrul Akbas
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
Quick Heal Technologies Ltd.
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
Martin Vigo
 
Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
vamsi_xmen
 
Packet sniffing in LAN
Packet sniffing in LANPacket sniffing in LAN
Packet sniffing in LAN
Arpit Suthar
 
Rootkit
RootkitRootkit
Rootkit
tech2click
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff
 
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARI
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARIMICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARI
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARI
BGA Cyber Security
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
securityxploded
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
Splunk
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Tom Eston
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
Chandrapal Badshah
 
Building Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSIBuilding Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSI
Splunk
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Osint
OsintOsint
Osint
Kamal Rathaur
 
Office 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides OrlandoOffice 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides Orlando
Alex Parsons
 
Office 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides OrlandoOffice 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides Orlando
Alex Parsons
 

More Related Content

What's hot

Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
Sudhanshu Chauhan
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
Priyanka Aash
 
Log yönetimi ve siem projelerindeki en önemli kriter EPS değerleri
Log yönetimi ve siem projelerindeki en önemli kriter EPS değerleriLog yönetimi ve siem projelerindeki en önemli kriter EPS değerleri
Log yönetimi ve siem projelerindeki en önemli kriter EPS değerleri
Ertugrul Akbas
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
Quick Heal Technologies Ltd.
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
Martin Vigo
 
Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
vamsi_xmen
 
Packet sniffing in LAN
Packet sniffing in LANPacket sniffing in LAN
Packet sniffing in LAN
Arpit Suthar
 
Rootkit
RootkitRootkit
Rootkit
tech2click
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff
 
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARI
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARIMICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARI
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARI
BGA Cyber Security
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
securityxploded
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
Splunk
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Tom Eston
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
Chandrapal Badshah
 
Building Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSIBuilding Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSI
Splunk
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Osint
OsintOsint
Osint
Kamal Rathaur
 

What's hot (20)

Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Log yönetimi ve siem projelerindeki en önemli kriter EPS değerleri
Log yönetimi ve siem projelerindeki en önemli kriter EPS değerleriLog yönetimi ve siem projelerindeki en önemli kriter EPS değerleri
Log yönetimi ve siem projelerindeki en önemli kriter EPS değerleri
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
 
Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
 
Packet sniffing in LAN
Packet sniffing in LANPacket sniffing in LAN
Packet sniffing in LAN
 
Rootkit
RootkitRootkit
Rootkit
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARI
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARIMICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARI
MICROSOFT SQL SERVER SIZMA VE GÜVENLİK TESTİ ÇALIŞMALARI
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
 
Building Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSIBuilding Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSI
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Osint
OsintOsint
Osint
 

Similar to Office 365 incident Response: BSides Vancouver 2018

Office 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides OrlandoOffice 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides Orlando
Alex Parsons
 
Office 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides OrlandoOffice 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides Orlando
Alex Parsons
 
Office 365 - Attacks and References.pptx
Office 365 - Attacks and References.pptxOffice 365 - Attacks and References.pptx
Office 365 - Attacks and References.pptx
NaveenVarma Chintalapati
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck
Benedek Menesi
 
Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...
Benedek Menesi
 
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
panagenda
 
Better together: Enterprise Vault.cloud and Microsoft Office 365
Better together: Enterprise Vault.cloud and Microsoft Office 365Better together: Enterprise Vault.cloud and Microsoft Office 365
Better together: Enterprise Vault.cloud and Microsoft Office 365
proutley
 
Symantec Enterprise Vault.cloud for Microsoft Office 365 Better together [EN]
Symantec Enterprise Vault.cloud for Microsoft Office 365 Better together [EN]Symantec Enterprise Vault.cloud for Microsoft Office 365 Better together [EN]
Symantec Enterprise Vault.cloud for Microsoft Office 365 Better together [EN]
getsix Group
 
Odoo Experience 2018 - Emails in Odoo
Odoo Experience 2018 - Emails in OdooOdoo Experience 2018 - Emails in Odoo
Odoo Experience 2018 - Emails in Odoo
ElínAnna Jónasdóttir
 
How to deploy Exchange Online Protection
How to deploy Exchange Online ProtectionHow to deploy Exchange Online Protection
How to deploy Exchange Online Protection
Peter Schmidt
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
Greg Foss
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
Niall Merrigan
 
SharePoint 2013 in a hybrid world
SharePoint 2013 in a hybrid worldSharePoint 2013 in a hybrid world
SharePoint 2013 in a hybrid world
Jethro Seghers
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
PROIDEA
 
Office 365 Useradmin with PowerShell
Office 365 Useradmin with PowerShellOffice 365 Useradmin with PowerShell
Office 365 Useradmin with PowerShell
Thorbjørn Værp
 
O365Engage17 - Making sense of the office 365 audit data mart
O365Engage17 - Making sense of the office 365 audit data martO365Engage17 - Making sense of the office 365 audit data mart
O365Engage17 - Making sense of the office 365 audit data mart
NCCOMMS
 
Securing sharepoint
Securing sharepointSecuring sharepoint
Securing sharepoint
Peter_1020
 
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial GuideSPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
Stephan Bisser
 
10 points to make a rogue SharePoint environment really, really secure..
10 points to make a rogue SharePoint environment really, really secure..10 points to make a rogue SharePoint environment really, really secure..
10 points to make a rogue SharePoint environment really, really secure..
SharePoint Saturday New Jersey
 

Similar to Office 365 incident Response: BSides Vancouver 2018 (20)

Office 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides OrlandoOffice 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides Orlando
 
Office 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides OrlandoOffice 365 Incident Response 2019 B-Sides Orlando
Office 365 Incident Response 2019 B-Sides Orlando
 
Office 365 - Attacks and References.pptx
Office 365 - Attacks and References.pptxOffice 365 - Attacks and References.pptx
Office 365 - Attacks and References.pptx
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck
 
Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...Office365 in today's digital threats landscape: attacks & remedies from a hac...
Office365 in today's digital threats landscape: attacks & remedies from a hac...
 
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...Office 365 in today's digital threats landscape: attacks & remedies from a ha...
Office 365 in today's digital threats landscape: attacks & remedies from a ha...
 
Better together: Enterprise Vault.cloud and Microsoft Office 365
Better together: Enterprise Vault.cloud and Microsoft Office 365Better together: Enterprise Vault.cloud and Microsoft Office 365
Better together: Enterprise Vault.cloud and Microsoft Office 365
 
Symantec Enterprise Vault.cloud for Microsoft Office 365 Better together [EN]
Symantec Enterprise Vault.cloud for Microsoft Office 365 Better together [EN]Symantec Enterprise Vault.cloud for Microsoft Office 365 Better together [EN]
Symantec Enterprise Vault.cloud for Microsoft Office 365 Better together [EN]
 
Odoo Experience 2018 - Emails in Odoo
Odoo Experience 2018 - Emails in OdooOdoo Experience 2018 - Emails in Odoo
Odoo Experience 2018 - Emails in Odoo
 
How to deploy Exchange Online Protection
How to deploy Exchange Online ProtectionHow to deploy Exchange Online Protection
How to deploy Exchange Online Protection
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
 
SharePoint 2013 in a hybrid world
SharePoint 2013 in a hybrid worldSharePoint 2013 in a hybrid world
SharePoint 2013 in a hybrid world
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
 
Office 365 Useradmin with PowerShell
Office 365 Useradmin with PowerShellOffice 365 Useradmin with PowerShell
Office 365 Useradmin with PowerShell
 
O365Engage17 - Making sense of the office 365 audit data mart
O365Engage17 - Making sense of the office 365 audit data martO365Engage17 - Making sense of the office 365 audit data mart
O365Engage17 - Making sense of the office 365 audit data mart
 
Securing sharepoint
Securing sharepointSecuring sharepoint
Securing sharepoint
 
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial GuideSPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
SPSVienna Office 365 Tenant to Tenant Migration - a complete Survial Guide
 
10 points to make a rogue SharePoint environment really, really secure..
10 points to make a rogue SharePoint environment really, really secure..10 points to make a rogue SharePoint environment really, really secure..
10 points to make a rogue SharePoint environment really, really secure..
 

Recently uploaded

AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
ScyllaDB
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 

Recently uploaded (20)

AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 

Office 365 incident Response: BSides Vancouver 2018

  • 1. Twitter: @ParsonsProject Alex Parsons DFIR Consultant B|Sides Vancouver 2018 OFFICE 365 INCIDENT RESPONSE
  • 2. @ParsonsProject Intro/Disclaimer + Alex Parsons − Consultant in Incident Response for Stroz Friedberg − Lives in Seattle; from Pennsylvania − Knows a lot about Microsoft technologies and Office 365 − Wrote one of the first papers on Windows 10 Forensics − Doesn’t know everything about Office 365 − Used to own a Windows Phone  − Opinions expressed are solely my own and do not express the views or opinions of Stroz Friedberg @ParsonsProject
  • 3. @ParsonsProject Goals + Go over: − O365 Basics − Compromise Basics − Collection Details − Post-incident Process − Learn from my pain − We use a basic compromise example, but applicable for other cases. Assumption is you don’t have a SIEM connection in place.
  • 4. @ParsonsProject TL;DR + Place holds on your compromised Mailboxes + Check your Azure Sign in Logs + Export your Audit Logs correctly + Use HAWK: − https://www.powershellgallery.com/packages/HAWK/1.0.0 + Use Azure AD Conditional Access for prevention + Enable Multi-Factor Authentication (MFA) + Enable Multi-Factor Authentication (MFA) + Enable Multi-Factor Authentication (MFA)
  • 5. @ParsonsProject What is Office 365? + Simple Idea from 2010 − Bring Microsoft’s on-premise servers to the cloud − Mail Servers − SharePoint Servers − Microsoft Lync/Skype for Business − Add Office Web Apps (like Google Docs) − Oh, and offer regular Office 2010 too 5
  • 6. @ParsonsProject Wait, but what IS SharePoint? + Whatever you want it to be! (And it’s normally terribly designed) + Custom Websites + Custom Forms + Team Sites + OneDrive for Business
  • 7. @ParsonsProject Does O365 do anything interesting though? + Since 2010 Microsoft has done a LOT − More services are becoming O365 only − OneDrive − Microsoft Teams − Yammer − Planner − Sway − Flow − Stream − Much, much more
  • 9. @ParsonsProject Compromise Lifecycle Attacker Sends Phish/Gets in via Brute Force • User Clicks on link, gives away credentials. Attacker Sends more phishing e-mails from trusted accounts, adds Mailbox Rules • Additional users click on phishing links • Users don’t see e-mails because the inbox rules Attacker Sends Wire Transfer request from compromised user. Adds Mailbox Rules • Receiver of Wire Transfer request trusts the e-mail, sends the money Attacker uses all Compromised accounts to spread phishing Campaign • Customers/Clients click on phishing links and the cycle continues New-InboxRule -StopProcessingRules:$True - AlwaysDeleteOutlookRulesBlob:$False -Force:$False -Name ... MarkAsRead:$True -DeleteMessage:$True - SubjectOrBodyContainsWords "delivery failure"; "don't open";"you have been hacked";error;spam;hacked;docusign;10/08/2017; wire Day 1 Day 5
  • 11. @ParsonsProject Scenario + Client calls you in, states that an Office 365 account was compromised. What is the first thing you should do? − Place a hold on the affected user’s mailbox − Collect Azure AD Sign In Logs (if possible) − Scan for Malicious Inbox Rules − Acquire Audit Logs Time To Live for logs in default environments − Azure Active Directory Sign-ins: 2-7 days (Depends on what you pay for) − Deleted Mail 14 days (Unless you place a hold on the mailbox) − Audit Logs: 90 days − Trace Logs: 90 Days − Exchange Audit Logs: 0 days, 90 days if enabled
  • 12. @ParsonsProject Placing a hold on the Mailbox + TechNet Link + If you download you must use Microsoft Edge/IE
  • 13. @ParsonsProject Azure Active Directory Sign-Ins + Very quick win if data within your time frame is there. (See TTL) + Every O365 environnent has Azure Active Directory + Look for foreign logons + Acquire AD Sign-in logs @ portal.azure.com
  • 14. @ParsonsProject Ensure Attacker is out of environment + Check All Current Inbox/Mailbox rules + Check to see if any Current Inbox Rules are forwarding to an attacker (Script) + Collect Last Password Change Info (Script) + Check if any mailboxes are currently being forwarded (Link)
  • 15. @ParsonsProject Audit Logs Guess which one of these three are enabled by default?
  • 16. @ParsonsProject Audit Logs + Audit Logs detail user activity across the entire O365 environment + Office 365 Audit Logs are very useful but very frustrating + Audit Logs are not enabled by default + Exchange/Mail related logs are not enabled by default + JSON with nested JSON
  • 17. @ParsonsProject Mailbox/Exchange Audit Logs + Not enabled by default Action Description Admin Delegate Owner Copy An item is copied to another folder. Yes No No Create An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn't audited. Yes* Yes* Yes FolderBind A mailbox folder is accessed. Yes* Yes** No HardDelete An item is deleted permanently from the Recoverable Items folder. Yes* Yes* Yes MailboxLogin The user signed in to their mailbox. No No Yes*** MessageBind An item is accessed in the reading pane or opened. Yes No No Move An item is moved to another folder. Yes* Yes Yes MoveToDeletedItems An item is moved to the Deleted Items folder. Yes* Yes Yes SendAs A message is sent using Send As permissions. Yes* Yes* No SendOnBehalf A message is sent using Send on Behalf permissions. Yes* Yes No SoftDelete An item is deleted from the Deleted Items folder. Yes* Yes* Yes Update An item's properties are updated. Yes* Yes* Yes Source: https://technet.microsoft.com/en- us/library/ff461937(v=exchg.160).aspx
  • 18. @ParsonsProject Enabling Mailbox Audit Logs Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true –AuditOwner “Create, Update, HardDelete, MailboxLogin, Move, MoveToDeletedItems, SoftDelete” Important: You will have to run this script on a schedule as this enable mailbox auditing settings for all current users
  • 19. @ParsonsProject Audit Logs Continued {"CreationTime":"2018-03-12T21:02:46","Id":"b0f7472d-4830-4b7a-8fc8- 08d5425c9b00","Operation":"MailboxLogin","OrganizationId":"88af9a01- 997d-4990-8895- 25d100f62ba5","RecordType":2,"ResultStatus":"Succeeded","UserKey":"10 543BFFD9B5F8EDF","UserType":0,"Version":1,"Workload":"Exchange","User Id":"aparsons@contoso.com","ClientIPAddress":“187.36.51.3","ClientInf oString":"Client=/owa/SuiteServiceProxy.aspx; Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299","ExternalAccess":false,"InternalLogonType":0,"LogonTy pe":0,"LogonUserSid":"S-1-5-21-4210148372-1463556831-2082377497- 6089575","MailboxGuid":"64288e9b-0bfd-42cc-b08f- 0007f8630d51","MailboxOwnerSid":"S-1-5-21-4010148372-1463556831- 2083377497- 6089575","MailboxOwnerUPN":"aparsons@contoso.com","OrganizationName": "stroz.contoso.com","OriginatingServer":"DM5PR17MB1322"}
  • 20. @ParsonsProject Audit Logs Continued {"CreationTime":"2018-03-12T21:02:41","Id":"701ae50c-7da5-49fd-ccf2- 08d5885c9879","Operation":"FilePreviewed","OrganizationId":"88af9a01-997d-4990- 8895- 25d100f62ba5","RecordType":6,"UserKey":"i:0h.f|membership|1003bffd9b5f8edf@live.com ","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":" 187.36.51.3","ObjectId":"https://contoso- my.sharepoint.com/personal/aparsons_contoso_onmicrosoft_com/Documents/Sensitive data.docx","UserId":"aparsons@contoso.onmicrosoft.com","CorrelationId":"1a708197- 8123-43ec-b593- 1bae34e6432a","EventSource":"SharePoint","ItemType":"File","ListId":"8dd3b323-d4e3- 444d-9b33-adf13a56a411","ListItemUniqueId":"015cb92a-ea29-4bd8-8650- 8d965406047f","Site":"7a952c9d-8c29-471d-8d3a- 9b698639db45","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299","WebId":"577deac0-7c7e-4c60-9525- 942ac37d08ce","SourceFileExtension":"docx","SiteUrl":"https://contoso- my.sharepoint.com/personal/aparsons_contoso_onmicrosoft_com/","SourceFileName":" Sensitive data.docx","SourceRelativeUrl":"Documents"}
  • 21. @ParsonsProject Pivoting with Audit Log Analysis + Take your Audit logs and do some IP lookups − Identify suspicious countries − Audit Logs (Protection.Office.com) − Azure AD Sign In Logs (Portal.Azure.com) − Identify suspicious Ips − Proxy Providers − Cloud Providers − Identify common User Agents ","ClientIPAddress":“187.36.51.3 ","ClientInfoString":"Client=/o wa/SuiteServiceProxy.aspx; Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"
  • 22. @ParsonsProject Fun Fact #2 Vancouver 45.40 in Montreal: 39 in Toronto: 31 in
  • 23. @ParsonsProject Acquiring Audit Logs (Without a SIEM) 1. Never trust the Audit log GUI 2. Never trust the Audit log GUI 3. Never ever trust the Audit Log GUI 4. ALWAYS Acquire Audit logs via PowerShell Audit Log GUI Issues − It will only export up to 50,000 lines per request and will not warn you − It sometimes won’t get all of the audit logs and won’t tell you − It sometimes will lie to you on how far back it can acquire audit logs Search-UnifiedAuditLog -Operations -StartDate 9/1/2017 -EndDate 10/1/2017 -UserIds aparsons@contoso.com -ResultSize 5000 | Export-Csv “aparsons.csv” Note: This command and others like it require you to connect to the Exchange Online shell via Powershell first (Tutorial)
  • 25. @ParsonsProject Data Learned from Pain + Via PowerShell, you can’t acquire more than 10,000 records at a time, but you can do it sequentially and it will show you if you don’t acquire them all more clearly. + If you request too many logs in a short period of time Microsoft will lock you out for a few minutes. Check out Start-RobustCloudCommand.ps1 + If you use the GUI, you are limited to 50,000 events and no verification that you have all of the logs + Search for 90 days prior even if the client didn’t have audit logs enabled. + Overall, very frustrating process without a SIEM connection
  • 26. @ParsonsProject Useful Audit Log searches + You can use PowerShell to search all audit logs that contain certain IP addresses (not 100% effective though): Search-UnifiedAuditLog -ResultSize 5000 -StartDate $startDate -EndDate $endDate -IPAddresses 45.77.147.170, 187.36.51.*| Export-Csv "MaliciousIP.csv" + You can also use PowerShell to search all audit logs for Mailbox Rule events to search for additional attacker activity (Only if Exchange logging has ben enabled by the client) Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations *-InboxRule | export-csv "AuditLogs_FullInboxRules.csv"
  • 27. @ParsonsProject Quick Recap: What do we know? + With the data collected so far we should know the following: − Users that were compromised (If the attacker uses obvious foreign IP addresses or Proxy/VPN solutions) − Whether the attacker is currently in the environment or has malicious Mailbox Rules enabled − What mailbox rules (if any) the attacker may have created (If the client had mailbox logging enabled) − This can also help generate a list of users that were targeted. + Unanswered Questions − How many e-mails were sent by the attacker while the user was compromised? − How was the user originally compromised?
  • 29. @ParsonsProject HAWK + PowerShell Module released in December 2017 + Made by Microsoft Support Engineers + HAWK will: − Parse successful logins and resolve the locations − Export Exchange related Audit Logs − Export Current Inbox Rules per user − Export Historical Inbox Rules − Export Permissions − Much much more + HAWK will NOT: − Collect all of your audit logs for you
  • 30. @ParsonsProject HAWK + Process (Take a picture of this) 1. Install-Module –Name HAWK 2. Import-Module HAWK 3. Connect to Exchange Via PowerShell 4. Start-HawkTenantInvestigation 5. Start-HawkUserInvestigation User Investigation Export Subset Tenant Investigation Export Subset
  • 31. @ParsonsProject Recap: Quick Wins + http://portal.azure.com − Impossible Sign-ins − Suspicious Logins − Collect ALL sign-in logs + Run HAWK − Find Malicious Mailbox Rules − Get Locations of logins from Audit Logs
  • 32. @ParsonsProject Finding Phishing E-mail + Look for E-mail within 5 days prior to the first malicious login + Often something like “John Smith has Shared a Document With you” + Attackers often delete and purge e-mails; Default TTL is 14 days + If e-mail is no longer present − Search the Trace Logs − Trace Logs are detailed logs regarding where the e-mail was sent from, and includes valuable IP addresses, however they do not have the contents. (Collection Tutorial) + If you need to search for more e-mails across the entire company, you can do that in the Search pane of the eDiscovery case (Tutorial) Content Searches will also work exactly the same. + Check out PIE! https://github.com/LogRhythm-Labs/PIE
  • 33. @ParsonsProject Finding the Fraud e-mail + Office 365 sometimes keeps track of the IP address in the “x- originating-ip” header of the e-mail. Scanning the IP can help find what e-mails were sent fraudulently + Process for finding malicious IPs in a PST file − Process the PST in X-ways − Copy/export the processed EML files into a folder − Run an automated script to lookup IP addresses − Search for suspicious IPs in the report − Use X-ways/Grep to then search for the identified IPs within the PST
  • 34. @ParsonsProject Preventative Techniques + Enable MFA + Look into Azure AD Conditional Access − Can automatically block suspicious logins (if configured) − Can blacklist IP subnets and locations − Catch: Requires Azure Active Directory Premium P2
  • 35. @ParsonsProject Conclusion + Questions? + Contact/Follow me on Twitter: @parsonsproject − Will post this presentation on my Twitter

Editor's Notes

  1. Tip/Notes: Pair your title slide with any agenda slide. To remove these notes from the deck, select File > Inspect Presentation…Check for Issues > Inspect Document > check last option, Presentation Notes > Inspect > Remove All
  2. Was a fool and owned a Windows Phone for 5 years Has too many embarrassing photos
  3. Tip/Notes: Start here – these are the slides you’ll use most often. Bullets in text box Resize header bars left/right as needed