Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018
•Download as PPTX, PDF•
1 like•5,297 views
Presented at the 2018 SANS DFIR Summit by Devon Ackerman, Associate Managing Director, Cyber Risk A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. Devon Ackerman’s presentation is based on two years’ worth of collection of forensics and incident response data in Microsoft’s Office 365 and Azure environments, combining knowledge from over a hundred Office 365 investigations, primarily centered around Business Email Compromise (BEC) and insider threat cases. Densely packed into a 35-minute presentation, Devon walks through the numerous forensic, incident response, and evidentiary aspects of Office 365. More from Devon Ackerman: https://www.kroll.com/en-us/who-we-are/kroll-experts/devon-ackerman
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018
Similar to Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018 (20)
Recently uploaded
Recently uploaded (20)
Forensically Sound Incident Response in Office 365 - SANS DFIR Summit 2018
- 1. Forensically Sound Incident Response in Microsoft’s Office 365 DEVON ACKERMAN | SANS DFIR SUMMIT 2018
- 3. Limitations and Drawbacks • Logouts • Messages • SearchTerms • Attachments • Length of Session
- 4. Audit log search isn’t turned on. To turn it on, click “Start recording user and admin activities” at the top of the page. Start recording user and admin activities
- 6. 1. Establish a Global Admin account 2. Identify at risk email accounts 3. Export the log 4. Analysis of the UAL
- 7. •O365 Security & Compliance •https://protection.office.com •O365 Admin Center •https://portal.office.com/adminportal •Windows Azure •https://manage.windowsazure.com •Windows PowerShell •Pshell for O365 by Nathan Mitchell
- 8. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts 3. Export the log 4. Analysis of the UAL
- 9. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts 3. Export the log 4. Analysis of the UAL
- 11. Microsoft Humor… • Microsoft’s browsers work best – Edge or IE11 • Certain fields will not populate or drop-down correctly in Firefox and Chrome • The eDiscovery PST export tool requires Internet Explorer • Azure AD
- 14. Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true -AuditOwner “Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create, MailboxLogin”
- 15. Responding 1. Establish a Global Admin account 2. Identify at risk email accounts 3. Export the log 4. Analysis of the UAL
- 18. • UserLoggedIn • PasswordLogonInitialAuthUsingPassword • ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken • PasswordLogonInitialAuthUsingADFSFederatedToken • ForeignRealmIndexLogonCookieCopyUsingDAToken • PasswordLogonCookieCopyUsingDAToken
- 19. {"CreationTime":"2018-01-19T16:11:25","Id":"f8fast70-2bbe-456f-8sea- 7513rfasf2541","Operation":"UserLoggedIn","OrganizationId":"b3bas52-8487-484f-8a41- 45a6f1a235","RecordType":15,"ResultStatus":"Succeeded","UserKey":“123451BEEF125@A boutDFIR.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":“1 5.16.17.181","ObjectId":"Unknown","UserId":“devon.ackerman@AboutDFIR.com","AzureA ctiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":" Microsoft Office/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4737; Pro)"}, {"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"OrgI dWsTrust2:process"},{"Name":"ResultStatusDetail","Value":"Success"}],"Actor":[{"ID":"4d4 6d3bd-95b3-4cad-bcda-88cddfdc2c52","Type":0}, {"ID":"devon.ackerman@AboutDFIR.com","Type":5},{"ID":“1245ASGSAF312351","Type":3}] ,"ActorContextId":“fasd631-1240-4125c-9125a-b32515asg31", "ActorIpAddress":"15.16.17.181","InterSystemsId":"4dsF1-g12wb-512a-8sd- 0a8asdzxg324","IntraSystemId":“adfas32-6afsd-4adf1-b562- f336135a14110","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":“fast12b-124f- 490c-9a15-b60621e1617y","ApplicationId":“f13241-2412-4422-san-sr0ck$1rs38"}
- 20. {"CreationTime":"2018-01-19T16:11:25","Id":"f8fast70-2bbe-456f-8sea- 7513rfasf2541","Operation":"UserLoggedIn","OrganizationId":"b3bas52-8487-484f-8a41- 45a6f1a235","RecordType":15,"ResultStatus":"Succeeded","UserKey":“123451BEEF125@A boutDFIR.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":“1 5.16.17.181","ObjectId":"Unknown","UserId":“devon.ackerman@AboutDFIR.com","AzureA ctiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"UserAgent","Value":" Microsoft Office/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4737; Pro)"}, {"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"OrgI dWsTrust2:process"},{"Name":"ResultStatusDetail","Value":"Success"}],"Actor":[{"ID":"4d4 6d3bd-95b3-4cad-bcda-88cddfdc2c52","Type":0}, {"ID":"devon.ackerman@AboutDFIR.com","Type":5},{"ID":“1245ASGSAF312351","Type":3}] ,"ActorContextId":“fasd631-1240-4125c-9125a-b32515asg31", "ActorIpAddress":"15.16.17.181","InterSystemsId":"4dsF1-g12wb-512a-8sd- 0a8asdzxg324","IntraSystemId":“adfas32-6afsd-4adf1-b562- f336135a14110","Target":[{"ID":"Unknown","Type":0}],"TargetContextId":“fast12b-124f- 490c-9a15-b60621e1617y","ApplicationId":“f13241-2412-4422-san-sr0ck$1rs38"}
- 22. The end goal of UAL analysis is to identify if unauthorized access did occur, when, and what else the actor did while in the account
- 23. Groupings to be aware of Mail rule creation Geolocation of IP addresses IPs that are part of netblocks User Agent Strings Baselining User Activity
- 24. Client=Microsoft.Exchange.Mapi; Microsoft Office/16.0 (Windows NT 6.1; Microsoft Outlook 16.0.8201; Pro) Client=POP3/IMAP4;Protocol=IMAP4 Client=Microsoft.Exchange.ActiveSync; Apple- iPhone8C1/1302.143
- 27. Diving Deeper • Search-UnifiedAuditLog -IPAddresses "123.123.123.123" -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY | Export-csv "C:ipaddress.csv“ • Search-UnifiedAuditLog -IPAddresses IPaddress1,IPaddress2 -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY | Export-csv "C:ipaddress.csv"
- 28. Beyond the UAL Sufficient licensing level of O365 tenant is required MICROSOFT’S AZURE ACTIVE DIRECTORY
- 30. • get-mailbox -id devon@AboutDFIR.com | select whenCreated • get-mailboxstatistics -id devon@AboutDFIR.com • get-mailbox devon@AboutDFIR.com | fl name,*audit*
- 31. • “Search & investigation” > “Content search” • GlobalAdmin account > eDiscovery Admin role to preview and download results of searches.
- 32. Hello Frank, Per our prior conversation, please let me know what you think about it. YoursTruley, Julie Attachment: companyllp.doc
- 33. Julie, Is this legitimate? Thank you, Frank
- 34. Frank, Yes it is Frank, Yes it is, I sent it.
- 35. Email Analysis • Phishing email w/an attachment • forensics revealed that the user had opened the phishing email • clicked the link • accessed the web page • had submitted their credentials • after the webpage returned an error, the user then returned to the phishing email and sent back the following in a Reply: “Send me something that I can open and not something that makes me feel uncomfortable.”
- 36. Domain Auto Forwarding Blocks PowerShell commands for domain-specific auto forwarding block • New-RemoteDomain -Name ExternalDomain -DomainName notAboutDFIR.com • Set-RemoteDomain -Identity ExternalDomain -AutoForwardEnabled:$FALSE The change can be verified with the PowerShell command • Get-RemoteDomain ExternalDomain | fl domainname,autoforwardenabled • Another option can be found in the Office365 portal under: AdminSecurity and Compliancesecure ScoreEnable Client Forwarding Rules Block.
- 37. “For every security mechanism devised, there is someone who will subvert or defeat it.” @AboutDFIR linkedin.com/in/devonackerman devon.ackerman@kroll.com
Editor's Notes
- As of October 2017 the calendar that will display to the incident responder (to select history of data to export) will indicate presence of log data on each day by color coding. A grey date is not selectable and will not contain data A black date is selectable and contains data By default, the UAL maintains data for 90 days Experience and research has observed as few as 30 days and up to 120 days are possibilities
- Once the log has been queried for user(s) accounts in question, the top right-hand corner of the page displays an export option. This will download a file containing data in JavaScript Object Notation (JSON) for the events the user selected to be queried.
- This table captures email-related operators that can be captured and written to the Unified Audit Log It also designates what is captured by default or must be manually enabled through PowerShell. Notice that FolderBind and Message Bind cannot be enabled for Owner level accounts for the UAL.
- Green -> On by default Red -> Can be enabled – the 2nd tier of logging
- JSON file format with information about multiple properties.
- JSON file format with information about multiple properties.
- Global Admins are never popped, right? Forensic evidence of email account access will not be in the target/victim account, it will be in the log data for the Global Admin that established delegate rights and accessed the target account.
- Establishing a baseline of access activity before the event allows for quicker identification of outliers. Forensic Fact: Unified Audit Logs default to UTC (Coordinated Universal Time, not the time zone of the user’s Office 365 account.
- Enabling of this Forwarding is not considered a mail rule and does not leave the traditional forensic artifacts in the logs. It also can not be identified through the Outlook Client.
- Run PowerShell Queries to Search globally across the tenant for those IP’s. Do they exist on any other accounts for associated Login events? If yes, then the cycle repeats - inspect those accounts further for signs of unauthorized access that may be prior unknown to those account holders. Search netblocks Example: If the offending unauthorized user originated from an IP address of 121.121.121.121, then a potentially useful search technique would be searching for all IPs in the netblock range that match the first three octets such as searching for 121.121.121* Since some actors come from servers within a similar range, this can be a helpful technique.
- If UAL wasn’t enabled, and you are within 30 day window, this may be a useful area of evidence to preserve. Based on conversations direct with Technical Leads at Microsoft’s Identity Cloud team, it was verified that Azure Active Directory logs remain separate and apart from the Unified Audit log as they contain Azure specific data.