Sunday, July 15, 2018

Daily Blog #422 Solution Saturday 7/14/18

Hello Reader,
         Things are always changing in forensics and especially forensic analysis of cloud hosted systems. This weeks challenge involved Office 365 audit logs and while the contest was going this week Microsoft announced welcome changes that will be rolled out that will change both the question and this weeks answer. So congratulations to this weeks winner Adam Harrison .



The Challenge:
Explain in a compromise of a Office365 account what you could review in the following circumstances.

Scenario a: only default logging in a E3 plan

Scenario b: Full mailbox auditing turned on

You are attempting in both scenarios to understand the scope of the attackers access 





The Winning Answer from Adam Harrison:


The first point to note is that a compromise of Office 365 (while commonly referred to as Business Email Compromise (BEC)) is not necessarily limited to email accounts. Depending on how an organisation employs Office 365 they may host a wealth of information besides just email and attachments in O365, much of which could be valuable to an attacker. In the case of the in-scope E3 plan, each compromised user account could potentially expose:

Exchange — Email messages, attachments and Calendars (Mailbox size up to 100GB)
OneDrive — 1TB per user, unless increased by admins to up to 25TB.
SharePoint — Whatever sites that user has access to.
Skype — Messages, call and video call history data
Microsoft Teams — Messages, call and video call history data as well as data within integrated apps.
Yammer — Whatever it is people actually do on Yammer. Are you prepared for a full compromise of your organisation's memes, reaction gifs and cat pictures?

All of that before you concern yourself with the likelihood of credential reuse, passwords which may be stored within O365 (Within documents and emails) for other services, delegated access to other mailboxes and MDM functionality.

Specifically answering the two questions:

Scenario a: only default logging in a E3 plan

Below is a non-comprehensive list of evidence sources which may be available to an examiner to assist in understanding the scale/scope of an O365 compromise:

  • Unified Audit Log, via Audit Log Search in the Security & Compliance Centre and accessible using Search-UnifiedAuditLog' cmdlet. This will need to be enabled if not already enabled and will provide retrospective visibility if enabled after the fact.
  • Mailbox Content
  • Read Tracking 
  • Message Tracking Logs
  • Mailbox Rule information
  • Proxy Logs/ DNS Logs/ Endpoint AV Logs / SIEM
  • Office 365 Management Activity API
  • Azure Active Directory reports and Reporting Audit API (With Azure AD P1/P2)

Scenario b: Full mailbox auditing turned on

By default, Auditing is not enabled, nor are the more granular Mailbox Auditing and SharePoint Site Collection Audit options. However, if we assume that 'audit log search' has been enabled as well as the optional logging associated with enabling 'mailbox auditing' and that audit has been configured for all SharePoint site collections then the following additional evidence sources become available.

  • Unified Audit Log - but now with more detailed events recorded as a result of enabling 'mailbox auditing'. The 'Search-MailboxAuditLog' will now also be available.
  • SharePoint Audit log reports

It should be noted that simply enabling mailbox audit logging for all mailboxes is not enough to capture all useful events. By default, only the 'UpdateFolderPermissions' action is logged with additional events requiring configuration, these include Create, HardDelete, MailboxLogin, Move, MoveToDeletedltems, SoftDelete and Update events.

SharePoint audit logging is pretty granular and, in my experience, rarely enabled. However, if correctly configured a record of user actions including document access, modification and deletion actions can be generated.

These evidence sources, their usefulness and some suggested methodologies to leverage them are outlined in my recent blog post.