Presented at the 2018 SANS DFIR Summit by Devon Ackerman, Associate Managing Director, Cyber Risk
A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. Devon Ackerman’s presentation is based on two years’ worth of collection of forensics and incident response data in Microsoft’s Office 365 and Azure environments, combining knowledge from over a hundred Office 365 investigations, primarily centered around Business Email Compromise (BEC) and insider threat cases.
Densely packed into a 35-minute presentation, Devon walks through the numerous forensic, incident response, and evidentiary aspects of Office 365.
More from Devon Ackerman: https://www.kroll.com/en-us/who-we-are/kroll-experts/devon-ackerman
4. Audit log search isn’t turned on. To turn it on, click “Start
recording user and admin activities” at the top of the
page.
Start recording user and admin activities
11. Microsoft Humor…
• Microsoft’s browsers work best –
Edge or IE11
• Certain fields will not populate or
drop-down correctly in Firefox and
Chrome
• The eDiscovery PST export tool
requires Internet Explorer
• Azure AD
35. Email Analysis
• Phishing email w/an attachment
• forensics revealed that the user had opened the phishing email
• clicked the link
• accessed the web page
• had submitted their credentials
• after the webpage returned an error, the user then returned to the
phishing email and sent back the following in a Reply:
“Send me something that I can
open and not something that
makes me feel uncomfortable.”
36. Domain Auto Forwarding Blocks
PowerShell commands for domain-specific auto forwarding block
• New-RemoteDomain -Name ExternalDomain -DomainName
notAboutDFIR.com
• Set-RemoteDomain -Identity ExternalDomain -AutoForwardEnabled:$FALSE
The change can be verified with the PowerShell command
• Get-RemoteDomain ExternalDomain | fl domainname,autoforwardenabled
• Another option can be found in the Office365 portal under: AdminSecurity
and Compliancesecure ScoreEnable Client Forwarding Rules Block.
37. “For every security mechanism devised,
there is someone who will subvert or defeat it.”
@AboutDFIR
linkedin.com/in/devonackerman
devon.ackerman@kroll.com
Editor's Notes
As of October 2017 the calendar that will display to the incident responder (to select history of data to export) will indicate presence of log data on each day by color coding.
A grey date is not selectable and will not contain data
A black date is selectable and contains data
By default, the UAL maintains data for 90 days
Experience and research has observed as few as 30 days and up to 120 days are possibilities
Once the log has been queried for user(s) accounts in question, the top right-hand corner of the page displays an export option.
This will download a file containing data in JavaScript Object Notation (JSON) for the events the user selected to be queried.
This table captures email-related operators that can be captured and written to the Unified Audit Log
It also designates what is captured by default or must be manually enabled through PowerShell.
Notice that FolderBind and Message Bind cannot be enabled for Owner level accounts for the UAL.
Green -> On by defaultRed -> Can be enabled – the 2nd tier of logging
JSON file format with information about multiple properties.
JSON file format with information about multiple properties.
Global Admins are never popped, right?
Forensic evidence of email account access will not be in the target/victim account, it will be in the log data for the Global Admin that established delegate rights and accessed the target account.
Establishing a baseline of access activity before the event allows for quicker identification of outliers.
Forensic Fact: Unified Audit Logs default to UTC (Coordinated Universal Time, not the time zone of the user’s Office 365 account.
Enabling of this Forwarding is not considered a mail rule and does not leave the traditional forensic artifacts in the logs. It also can not be identified through the Outlook Client.
Run PowerShell Queries to
Search globally across the tenant for those IP’s.
Do they exist on any other accounts for associated Login events?
If yes, then the cycle repeats - inspect those accounts further for signs of unauthorized access that may be prior unknown to those account holders.
Search netblocks
Example: If the offending unauthorized user originated from an IP address of 121.121.121.121, then a potentially useful search technique would be searching for all IPs in the netblock range that match the first three octets such as searching for 121.121.121*
Since some actors come from servers within a similar range, this can be a helpful technique.
If UAL wasn’t enabled, and you are within 30 day window, this may be a useful area of evidence to preserve.
Based on conversations direct with Technical Leads at Microsoft’s Identity Cloud team, it was verified that Azure Active Directory logs remain separate and apart from the Unified Audit log as they contain Azure specific data.