Posts

Using the Blue team app for Office 365 & Azure for a BEC investigation

Image
In this post, I will show you how to investigate a BEC attack with my new app.  Download my Splunk app here:   Splunkbase: splunkbase.splunk.com/app/4667/  Github: github.com/PwC-IR/Blue-team-app-Office-365-and-Azure
This app was built for several reasons, one is that I've been helping out a lot of organizations that fell victim to a BEC attack. And I've noticed that most of the BEC attacks follow certain steps to accomplish their goals. With that in mind it should be possible to detect present and ongoing BEC atacks and that's what I have tried to built into my app. Another reason for this app is that it will help with analysis of the Office Unified Audit Log (UAL), which can be quite challenging because of the format of the data and the level of detail that is recorded. 
The App So how can we detect a BEC attack based on the UAL with my Splunk app? I have built around 20 unique searches and categorized them into four domains. So far, I have been able to identify (ongoin…

Importing Windows Event Log files into Splunk

Image
Introduction In this blog post I will show you how to import Windows event log files in Splunk. I was inspired by this post on how to import '.evtx' files into Elastic and I thought it was a good idea to write this blog on how to achieve the same goal with Splunk. Log analysis is a critical part of DFIR and on numerous occassions I found myself sitting with a bunch of Windows event logs that needed to be analysed. So I hope it will be useful for you as well. 
Setup your environmentFor this experiment, I have used a cool dataset published by Blackstorm Security. The dataset contains Windows event log samples associated to specific attack and post-exploitation techniques The event logs are stored in their repository and categorized per attack type.
First step is to download Splunk Enterprise for free hereNext follow the installation steps and upon successful completion, you have your own Splunk server runningOptional, if you want to analyse Sysmon logging, you need to make sure …

How to respond to a Business Email Compromise - Part 3

Image
This three-part blog series is about Business Email Compromises (BEC) targeting Office 365 environments and our insights as incident responders. The first post can be found here and contains an introduction to BEC attacks and the challenges that often arise in these types of investigations. The second post can be found here and includes an open source script that acquires audit logs from an Office 365 environment. In this post we examine several use cases and explain how to identify suspicious behavior in the Office 365 audit logs. The intent of sharing our knowledge, tooling and experiences of BEC investigations is to help disrupt threat actors, contribute to building trust in society, and encourage other organizations to share their knowledge and help those in need of assistance.

Introduction Analyzing the complete Office 365 Unified Audit Log (UAL) is often a challenge because it contains millions of events with no clear indication of where to begin the investigation. This notion b…

How to respond to a Business Email Compromise - Part 2

Image
This three-part blog series is about Business Email Compromises (BEC) targeting Office 365 environments and our insights as incident responders. The first post can be found here and contains an introduction to BEC attacks and the challenges that often arise in these types of investigations. In this post, we will publish a script that can be used to acquire audit logs from an Office 365 environment. Audit logs are a critical part of BEC investigations, as these can help in determining when an attacker accessed the environment or when a forwarding rule was created. The third post includes information and tips to identify malicious or suspicious behavior in the Office 365 audit logs.
The intent of developing an open source script is to share our knowledge, tooling and experiences of BEC investigations. We hope this can help disrupt these threat actors, contribute to building trust in society, and encourage other organizations to share their knowledge and help those in need of assistance.…

How to respond to a Business Email Compromise - Part 1

The growing adoption of cloud services is rapidly occurring, as many businesses move their critical information and infrastructure from local managed environments to the cloud. However, threat actors are also pivoting their operations to target cloud environments at an equally rapid rate. In this new era, cooperation and trust between incident response specialists, businesses, and law enforcement is needed to disrupt these threat actors. The majority of cyber incidents we respond to are cloud-based business email applications. In these types of incidents, a threat actor gains access to a user’s email and often steals money or data. Apart from any direct financial losses or un-authorized access of sensitive data, these incidents can also disrupt business operations related to its cloud systems that are relied on every day. This problem is further complicated because critical information required to investigate cloud-based business email applications are often not available or the knowl…