Cloud Response

Last week Microsoft released the highly anticipated and long awaited MailItemsAccessed Operation as part of the Advanced Audit functionality in Office 365. The good news, it is automatically enabled. The bad news, it is only for customers with an Office 365 or Microsoft 365 E5 license. In this article my colleague Joey Rentenaar and I will provide you with details on the new artefact and share with you how you can use it to identify what emails were accessed by a threat actor. Also we have developed an open-source tool to support analysis of the new artefact and it's available here . Why is this important? One of the biggest challenges during a Business Email Compromise investigation is to determine what emails were accessed by a threat actor. At the moment you have to assume that a threat actor had access to all emails for a compromised account during the period of a successful compromise. Since a compromise of Personally Identifiable Information(PII) can lead to regulato...

In this post, I will show you how to investigate a BEC attack with my new app.  Download my Splunk app here:   Splunkbase: splunkbase.splunk.com/app/4667/  Github: github.com/PwC-IR/Blue-team-app-Office-365-and-Azure This app was built for several reasons, one is that I've been helping out a lot of organizations that fell victim to a BEC attack. And I've noticed that most of the BEC attacks follow certain steps to accomplish their goals. With that in mind it should be possible to detect present and ongoing BEC atacks and that's what I have tried to built into my app. Another reason for this app is that it will help with analysis of the Office Unified Audit Log (UAL), which can be quite challenging because of the format of the data and the level of detail that is recorded.  The App So how can we detect a BEC attack based on the UAL with my Splunk app? I have built around 20 unique searches and categorized them into four domains. So ...

Introduction In this blog post I will show you how to import Windows event log files in Splunk. I was inspired by  this  post on how to import '.evtx' files into Elastic and I thought it was a good idea to write this blog on how to achieve the same goal with Splunk. Log analysis is a critical part of DFIR and on numerous occassions I found myself sitting with a bunch of Windows event logs that needed to be analysed. So I hope it will be useful for you as well.  Setup your environment For this experiment, I have used a cool dataset published by Blackstorm Security . The dataset contains Windows event log samples associated to specific attack and post-exploitation techniques The event logs are stored in their repository and categorized per attack type. First step is to download Splunk Enterprise for free here Next follow the installation steps and upon successful completion, you have your own Splunk server running Optional, if you want to analyse Sysmon ...

This three-part blog series is about Business Email Compromises (BEC) targeting Office 365 environments and our insights as incident responders. The first post can be found here and contains an introduction to BEC attacks and the challenges that often arise in these types of investigations. The second post can be found here and includes an open source script that acquires audit logs from an Office 365 environment. In this post we examine several use cases and explain how to identify suspicious behavior in the Office 365 audit logs. The intent of sharing our knowledge, tooling and experiences of BEC investigations is to help disrupt threat actors, contribute to building trust in society, and encourage other organizations to share their knowledge and help those in need of assistance. Introduction Analyzing the complete Office 365 Unified Audit Log (UAL) is often a challenge because it contains millions of events with no clear indication of where to begin the investigation. This no...

This three-part blog series is about Business Email Compromises (BEC) targeting Office 365 environments and our insights as incident responders. The first post can be found here and contains an introduction to BEC attacks and the challenges that often arise in these types of investigations. In this post, we will publish a script that can be used to acquire audit logs from an Office 365 environment. Audit logs are a critical part of BEC investigations, as these can help in determining when an attacker accessed the environment or when a forwarding rule was created. The third post includes information and tips to identify malicious or suspicious behavior in the Office 365 audit logs. The intent of developing an open source script is to share our knowledge, tooling and experiences of BEC investigations. We hope this can help disrupt these threat actors, contribute to building trust in society, and encourage other organizations to share their knowledge and help those in need of assistance...

The growing adoption of cloud services is rapidly occurring, as many businesses move their critical information and infrastructure from local managed environments to the cloud. However, threat actors are also pivoting their operations to target cloud environments at an equally rapid rate. In this new era, cooperation and trust between incident response specialists, businesses, and law enforcement is needed to disrupt these threat actors. The majority of cyber incidents we respond to are cloud-based business email applications. In these types of incidents, a threat actor gains access to a user’s email and often steals money or data. Apart from any direct financial losses or un-authorized access of sensitive data, these incidents can also disrupt business operations related to its cloud systems that are relied on every day. This problem is further complicated because critical information required to investigate cloud-based business email applications are often not available or the know...