Repository of attack and defensive information for Business Email Compromise investigations
| Description | Author | Link |
|---|---|---|
| Lina Lau | Backdoor Office 365 and Active Directory - Golden SAML | |
| Lina Lau | Office365 Attacks: Bypassing MFA, Achieving Persistence and More - Part I | |
| Lina Lau | Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II | |
| Mike Felch and Steve Borosh | Socially Acceptable Methods to Walk in the Front Door | |
| Mandiant | Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 | |
| Andy Robbins at SpecterOps | Azure Privilege Escalation via Service Principal Abuse | |
| Emilian Cebuc & Christian Philipov at F-Secure | Has anyone seen the principal? | |
| nyxgeek at TrustedSec | Creating A Malicious Azure AD Oauth2 Application |
| Description | Author | Link |
|---|---|---|
| Devon Ackerman (SANS DFIR Summit 2018) | A Planned Methodology for Forensically Sound IR in Office 365 | |
| Matt Bromiley | Business Email Compromise; Office 365 Making Sense of All the Noise | |
| PWC IR | Business Email Compromise Guide | |
| Korstiann Stam (SANS DFIR Summit 2021) | A Holistic Approach to Defending Business Email Compromise (BEC) Attacks | |
| M365 Internals | Everything About Service Principals, Applications, And API Permissions | |
| M365 Internals | What I Have Learned From Doing A Year Of Cloud Forensics In Azure AD | |
| M365 Internals | Incident Response In A Microsoft Cloud Environment | |
| M365 Internals | Incident Response Series: Reviewing Data In Azure AD For Investigation | |
| M365 Internals | Incident Response Series: Collecting And Analyzing Logs In Azure Ad | |
| Microsoft | How automated investigation and response works in Microsoft Defender for Office 365 | |
| Microsoft | Incident Response playbooks | |
| Brendan Mccreesh | Matching the O365 MachineID to a computer’s MachineGUID |
| Description | Author | Link |
|---|---|---|
| A dataset containing Office 365 Unified Audit Logs for security research and detection. | Invictus Incident Response | O365 Dataset |
| Description | Author | Link |
|---|---|---|
| Megan Roddie | Automating Google Workspace Incident Response | |
| Megan Roddie | GSuite Digital Forensics and Incident Response | |
| Splunk Threat Research Team | Investigating GSuite Phishing Attacks with Splunk | |
| Arman Gungor at Metaspike | Investigating Message Read Status in Gmail & Google Workspace | |
| Arman Gungor at Metaspike | Gmail History Records in Forensic Email Investigations | |
| Arman Gungor at Metaspike | Google Takeout and Vault in Email Forensics |
| Description | Author | Link |
|---|---|---|
| Kuba Gretzky | Evilginx2 | |
| MDSec | o365-attack-toolkit |
| Description | Author | Link |
|---|---|---|
| Automate the security assessment of Microsoft Office 365 environments | Soteria Security | 365Inspect |
| Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments | CrowdStrike | CrowdStrike Reporting Tool for Azure (CRT) |
| Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020 | CISA | Aviary/SPARROW |
| The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure. | T0pCyber | Hawk |
| This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. | Mandiant | Mandiant AzureAD Investigator |
| This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API. | Glen Scales | O365 InvestigationTooling |
| MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s) | PwC IR | MIA-MailItemsAccessed |
| This script makes it possible to extract log data out of an Office365 environment. | JoeyRentenaar | Office 365 Extractor |
| Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis. | Fernando Tomlinson | Invoke-AZExplorer |
| This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest. | Ian Day | o365AuditParser |
| DART AzureAD IR Powershell Module | Microsoft DART | AzureADIncidentResponse |
| Magnet AXIOM Cloud | Magnet Forensics | Magnet AXIOM Cloud |
| Metaspike Forensic Email Collector | Metaspike | Metaspike Forensic Email Collector |
| This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment. | Invictus IR | Blue-team-app-Office-365-and-Azure |
| Script to retrieve information via O365 and AzureAD with a valid cred | nyxgeek | o365recon |
| A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes. | Darkquasar | AzureHunter |
| SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. | Phil Hagen at SANS | SOF-ELK |
| Description | Author | Link |
|---|---|---|
| David Cowen, Pierre Lidome, Josh Lemon at SANS | FOR509: Enterprise Cloud Forensics and Incident Response |
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent