Hello Reader,
Things are always changing in forensics and especially forensic analysis of cloud hosted systems. This weeks challenge involved Office 365 audit logs and while the contest was going this week Microsoft announced welcome changes that will be rolled out that will change both the question and this weeks answer. So congratulations to this weeks winner Adam Harrison .
The Challenge:
Things are always changing in forensics and especially forensic analysis of cloud hosted systems. This weeks challenge involved Office 365 audit logs and while the contest was going this week Microsoft announced welcome changes that will be rolled out that will change both the question and this weeks answer. So congratulations to this weeks winner Adam Harrison .
The Challenge:
Explain in a compromise of a Office365 account what you could review in the following circumstances.
Scenario a: only default logging in a E3 plan
Scenario b: Full mailbox auditing turned on
You are attempting in both scenarios to understand the scope of the attackers access
The Winning Answer from Adam Harrison:
Scenario b: Full mailbox auditing turned on
You are attempting in both scenarios to understand the scope of the attackers access
The Winning Answer from Adam Harrison:
The first point to note is that a compromise of Office 365 (while
commonly referred to as Business Email Compromise (BEC)) is not necessarily
limited to email accounts. Depending on how an organisation employs Office 365
they may host a wealth of information besides just email and attachments in
O365, much of which could be valuable to an attacker. In the case of the
in-scope E3 plan, each compromised user account could potentially expose:
Exchange — Email messages, attachments and Calendars (Mailbox size
up to 100GB)
OneDrive — 1TB per user, unless increased by admins to up to 25TB.
SharePoint — Whatever sites that user has access to.
Skype — Messages, call and video call history data
Microsoft Teams — Messages, call and video call history data as
well as data within integrated apps.
Yammer — Whatever it is people actually do on Yammer. Are you
prepared for a full compromise of your organisation's memes, reaction gifs and
cat pictures?
All of that before you concern yourself with the likelihood of
credential reuse, passwords which may be stored within O365 (Within documents
and emails) for other services, delegated access to other mailboxes and MDM
functionality.
Specifically answering the two questions:
Scenario a: only default logging in a E3 plan
Below is a non-comprehensive list of evidence sources which may be
available to an examiner to assist in understanding the scale/scope of an O365
compromise:
- Unified Audit Log, via
Audit Log Search in the Security & Compliance Centre and accessible
using Search-UnifiedAuditLog' cmdlet. This will need to be enabled if not already
enabled and will provide retrospective visibility if enabled after the
fact.
- Mailbox Content
- Read Tracking
- Message Tracking Logs
- Mailbox Rule information
- Proxy Logs/ DNS Logs/
Endpoint AV Logs / SIEM
- Office 365 Management
Activity API
- Azure Active Directory
reports and Reporting Audit API (With Azure AD P1/P2)
Scenario b: Full mailbox auditing turned on
By default, Auditing is not enabled, nor are the more granular
Mailbox Auditing and SharePoint Site Collection Audit options. However, if we
assume that 'audit log search' has been enabled as well as the optional logging
associated with enabling 'mailbox auditing' and that audit has been configured
for all SharePoint site collections then the following additional evidence
sources become available.
- Unified Audit Log - but
now with more detailed events recorded as a result of enabling
'mailbox auditing'. The 'Search-MailboxAuditLog' will now also be
available.
- SharePoint Audit log
reports
It should be noted that simply enabling mailbox audit logging for
all mailboxes is not enough to capture all useful events. By default, only the
'UpdateFolderPermissions' action is logged with additional events requiring
configuration, these include Create, HardDelete, MailboxLogin, Move, MoveToDeletedltems,
SoftDelete and Update events.
SharePoint audit logging is pretty granular and, in my experience,
rarely enabled. However, if correctly configured a record of user actions
including document access, modification and deletion actions can be generated.
These evidence sources, their usefulness and some suggested
methodologies to leverage them are outlined in my recent blog post.
Also Read: Daily Blog #421
Post a Comment