As adoption for Office 365 increases, so will security incidents that involve Office 365. Despite the high adoption rates across industries, most companies still lack the ability to enforce proper security controls and they also lack the knowledge to respond to incidents quickly and effectively.
In this presentation, we will focus on attacker patterns in O365 environments, how to collect the data you need during an incident, and how to respond to common requests and questions, especially during phishing related cases. We will also look into some of the advanced security features Office 365 has to offer and when it would make sense to invest in them.
2. @ParsonsProject
Intro/Disclaimer
+ Alex Parsons
− Consultant in Incident Response for Stroz Friedberg
− Lives in Seattle; from Pennsylvania
− Knows a lot about Microsoft technologies and Office 365
− Wrote one of the first papers on Windows 10 Forensics
− Doesn’t know everything about Office 365
− Used to own a Windows Phone
− Opinions expressed are solely my own and do not
express the views or opinions of Stroz Friedberg
@ParsonsProject
3. @ParsonsProject
Goals
+ Go over:
− O365 Basics
− Compromise Basics
− Collection Details
− Post-incident Process
− Learn from my pain
− We use a basic compromise
example, but applicable for
other cases.
Assumption is you don’t have a SIEM connection in place.
4. @ParsonsProject
TL;DR
+ Place holds on your compromised Mailboxes
+ Check your Azure Sign in Logs
+ Export your Audit Logs correctly
+ Use HAWK:
− https://www.powershellgallery.com/packages/HAWK/1.0.0
+ Use Azure AD Conditional Access for prevention
+ Enable Multi-Factor Authentication (MFA)
+ Enable Multi-Factor Authentication (MFA)
+ Enable Multi-Factor Authentication (MFA)
5. @ParsonsProject
What is Office 365?
+ Simple Idea from 2010
− Bring Microsoft’s on-premise servers to the cloud
− Mail Servers
− SharePoint Servers
− Microsoft Lync/Skype for Business
− Add Office Web Apps (like Google Docs)
− Oh, and offer regular Office 2010 too
5
6. @ParsonsProject
Wait, but what IS SharePoint?
+ Whatever you want it to be! (And it’s normally terribly designed)
+ Custom Websites
+ Custom Forms
+ Team Sites
+ OneDrive for Business
7. @ParsonsProject
Does O365 do anything interesting though?
+ Since 2010 Microsoft has done a LOT
− More services are becoming O365 only
− OneDrive
− Microsoft Teams
− Yammer
− Planner
− Sway
− Flow
− Stream
− Much, much more
9. @ParsonsProject
Compromise Lifecycle
Attacker Sends
Phish/Gets in via Brute
Force
• User Clicks on link,
gives away credentials.
Attacker Sends more
phishing e-mails from
trusted accounts, adds
Mailbox Rules
• Additional users click on
phishing links
• Users don’t see e-mails
because the inbox rules
Attacker Sends Wire
Transfer request from
compromised user. Adds
Mailbox Rules
• Receiver of Wire
Transfer request trusts
the e-mail, sends the
money
Attacker uses all
Compromised accounts
to spread phishing
Campaign
• Customers/Clients click
on phishing links and
the cycle continues
New-InboxRule -StopProcessingRules:$True -
AlwaysDeleteOutlookRulesBlob:$False -Force:$False -Name ...
MarkAsRead:$True -DeleteMessage:$True -
SubjectOrBodyContainsWords "delivery failure"; "don't
open";"you have been
hacked";error;spam;hacked;docusign;10/08/2017; wire
Day 1 Day 5
11. @ParsonsProject
Scenario
+ Client calls you in, states that an Office 365 account was
compromised. What is the first thing you should do?
− Place a hold on the affected user’s mailbox
− Collect Azure AD Sign In Logs (if possible)
− Scan for Malicious Inbox Rules
− Acquire Audit Logs
Time To Live for logs in default environments
− Azure Active Directory Sign-ins: 2-7 days (Depends on what you pay for)
− Deleted Mail 14 days (Unless you place a hold on the mailbox)
− Audit Logs: 90 days
− Trace Logs: 90 Days
− Exchange Audit Logs: 0 days, 90 days if enabled
13. @ParsonsProject
Azure Active Directory Sign-Ins
+ Very quick win if data within your time frame is there. (See TTL)
+ Every O365 environnent has Azure Active Directory
+ Look for foreign logons
+ Acquire AD Sign-in logs @ portal.azure.com
14. @ParsonsProject
Ensure Attacker is out of environment
+ Check All Current Inbox/Mailbox rules
+ Check to see if any Current Inbox Rules are forwarding to an attacker
(Script)
+ Collect Last Password Change Info (Script)
+ Check if any mailboxes are currently being forwarded (Link)
16. @ParsonsProject
Audit Logs
+ Audit Logs detail user activity across the entire O365 environment
+ Office 365 Audit Logs are very useful but very frustrating
+ Audit Logs are not enabled by default
+ Exchange/Mail related logs are not enabled by default
+ JSON with nested JSON
17. @ParsonsProject
Mailbox/Exchange Audit Logs
+ Not enabled by default
Action Description Admin Delegate Owner
Copy An item is copied to another folder. Yes No No
Create An item is created in the Calendar,
Contacts, Notes, or Tasks folder in
the mailbox; for example, a new
meeting request is created. Note
that message or folder creation isn't
audited.
Yes* Yes* Yes
FolderBind A mailbox folder is accessed. Yes* Yes** No
HardDelete An item is deleted permanently from
the Recoverable Items folder.
Yes* Yes* Yes
MailboxLogin The user signed in to their mailbox. No No Yes***
MessageBind An item is accessed in the reading
pane or opened.
Yes No No
Move An item is moved to another folder. Yes* Yes Yes
MoveToDeletedItems An item is moved to the Deleted
Items folder.
Yes* Yes Yes
SendAs A message is sent using Send As
permissions.
Yes* Yes* No
SendOnBehalf A message is sent using Send on
Behalf permissions.
Yes* Yes No
SoftDelete An item is deleted from the Deleted
Items folder.
Yes* Yes* Yes
Update An item's properties are updated. Yes* Yes* Yes
Source: https://technet.microsoft.com/en-
us/library/ff461937(v=exchg.160).aspx
18. @ParsonsProject
Enabling Mailbox Audit Logs
Get-Mailbox -ResultSize Unlimited -Filter
{RecipientTypeDetails -eq "UserMailbox"} |
Set-Mailbox -AuditEnabled $true –AuditOwner
“Create, Update, HardDelete, MailboxLogin,
Move, MoveToDeletedItems, SoftDelete”
Important: You will have to run this script on a schedule as this
enable mailbox auditing settings for all current users
21. @ParsonsProject
Pivoting with Audit Log Analysis
+ Take your Audit logs and do some IP lookups
− Identify suspicious countries
− Audit Logs (Protection.Office.com)
− Azure AD Sign In Logs (Portal.Azure.com)
− Identify suspicious Ips
− Proxy Providers
− Cloud Providers
− Identify common User Agents
","ClientIPAddress":“187.36.51.3
","ClientInfoString":"Client=/o
wa/SuiteServiceProxy.aspx;
Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/58.0.3029.110
Safari/537.36 Edge/16.16299"
23. @ParsonsProject
Acquiring Audit Logs (Without a SIEM)
1. Never trust the Audit log GUI
2. Never trust the Audit log GUI
3. Never ever trust the Audit Log GUI
4. ALWAYS Acquire Audit logs via PowerShell
Audit Log GUI Issues
− It will only export up to 50,000 lines per request and will not warn you
− It sometimes won’t get all of the audit logs and won’t tell you
− It sometimes will lie to you on how far back it can acquire audit logs
Search-UnifiedAuditLog -Operations -StartDate 9/1/2017 -EndDate 10/1/2017 -UserIds
aparsons@contoso.com -ResultSize 5000 | Export-Csv “aparsons.csv”
Note: This command and others like it require you to connect to the Exchange Online shell via Powershell first (Tutorial)
25. @ParsonsProject
Data Learned from Pain
+ Via PowerShell, you can’t acquire more than 10,000 records at a time, but
you can do it sequentially and it will show you if you don’t acquire them all
more clearly.
+ If you request too many logs in a short period of time Microsoft will lock you
out for a few minutes. Check out Start-RobustCloudCommand.ps1
+ If you use the GUI, you are limited to 50,000 events and no verification that
you have all of the logs
+ Search for 90 days prior even if the client didn’t have audit logs enabled.
+ Overall, very frustrating process without a SIEM connection
26. @ParsonsProject
Useful Audit Log searches
+ You can use PowerShell to search all audit logs that contain certain IP
addresses (not 100% effective though):
Search-UnifiedAuditLog -ResultSize 5000 -StartDate $startDate -EndDate
$endDate -IPAddresses 45.77.147.170, 187.36.51.*| Export-Csv
"MaliciousIP.csv"
+ You can also use PowerShell to search all audit logs for Mailbox Rule
events to search for additional attacker activity (Only if Exchange
logging has ben enabled by the client)
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations
*-InboxRule | export-csv "AuditLogs_FullInboxRules.csv"
27. @ParsonsProject
Quick Recap: What do we know?
+ With the data collected so far we should know the following:
− Users that were compromised (If the attacker uses obvious foreign IP
addresses or Proxy/VPN solutions)
− Whether the attacker is currently in the environment or has malicious
Mailbox Rules enabled
− What mailbox rules (if any) the attacker may have created (If the client
had mailbox logging enabled)
− This can also help generate a list of users that were targeted.
+ Unanswered Questions
− How many e-mails were sent by the attacker while the user was
compromised?
− How was the user originally compromised?
29. @ParsonsProject
HAWK
+ PowerShell Module released in December 2017
+ Made by Microsoft Support Engineers
+ HAWK will:
− Parse successful logins and resolve the locations
− Export Exchange related Audit Logs
− Export Current Inbox Rules per user
− Export Historical Inbox Rules
− Export Permissions
− Much much more
+ HAWK will NOT:
− Collect all of your audit logs for you
30. @ParsonsProject
HAWK
+ Process (Take a picture of this)
1. Install-Module –Name HAWK
2. Import-Module HAWK
3. Connect to Exchange Via PowerShell
4. Start-HawkTenantInvestigation
5. Start-HawkUserInvestigation
User Investigation Export Subset
Tenant Investigation Export Subset
31. @ParsonsProject
Recap: Quick Wins
+ http://portal.azure.com
− Impossible Sign-ins
− Suspicious Logins
− Collect ALL sign-in logs
+ Run HAWK
− Find Malicious Mailbox Rules
− Get Locations of logins from Audit Logs
32. @ParsonsProject
Finding Phishing E-mail
+ Look for E-mail within 5 days prior to the first malicious login
+ Often something like “John Smith has Shared a Document With you”
+ Attackers often delete and purge e-mails; Default TTL is 14 days
+ If e-mail is no longer present
− Search the Trace Logs
− Trace Logs are detailed logs regarding where the e-mail was sent from,
and includes valuable IP addresses, however they do not have the
contents. (Collection Tutorial)
+ If you need to search for more e-mails across the entire company, you
can do that in the Search pane of the eDiscovery case (Tutorial)
Content Searches will also work exactly the same.
+ Check out PIE! https://github.com/LogRhythm-Labs/PIE
33. @ParsonsProject
Finding the Fraud e-mail
+ Office 365 sometimes keeps track of the IP address in the “x-
originating-ip” header of the e-mail. Scanning the IP can help find
what e-mails were sent fraudulently
+ Process for finding malicious IPs in a PST file
− Process the PST in X-ways
− Copy/export the processed EML files into a folder
− Run an automated script to lookup IP addresses
− Search for suspicious IPs in the report
− Use X-ways/Grep to then search for the identified IPs within the PST
34. @ParsonsProject
Preventative Techniques
+ Enable MFA
+ Look into Azure AD Conditional Access
− Can automatically block suspicious logins (if configured)
− Can blacklist IP subnets and locations
− Catch: Requires Azure Active Directory Premium P2
Tip/Notes: Pair your title slide with any agenda slide.
To remove these notes from the deck, select File > Inspect Presentation…Check for Issues > Inspect Document > check last option, Presentation Notes > Inspect > Remove All
Was a fool and owned a Windows Phone for 5 years
Has too many embarrassing photos
Tip/Notes:
Start here – these are the slides you’ll use most often.
Bullets in text box
Resize header bars left/right as needed
