Repository of attack and defensive information for Business Email Compromise investigations
Description | Author | Link |
---|---|---|
Lina Lau | Backdoor Office 365 and Active Directory - Golden SAML | |
Lina Lau | Office365 Attacks: Bypassing MFA, Achieving Persistence and More - Part I | |
Lina Lau | Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II | |
Mike Felch and Steve Borosh | Socially Acceptable Methods to Walk in the Front Door | |
Mandiant | Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 | |
Andy Robbins at SpecterOps | Azure Privilege Escalation via Service Principal Abuse | |
Emilian Cebuc & Christian Philipov at F-Secure | Has anyone seen the principal? | |
nyxgeek at TrustedSec | Creating A Malicious Azure AD Oauth2 Application |
Description | Author | Link |
---|---|---|
Devon Ackerman (SANS DFIR Summit 2018) | A Planned Methodology for Forensically Sound IR in Office 365 | |
Matt Bromiley | Business Email Compromise; Office 365 Making Sense of All the Noise | |
PWC IR | Business Email Compromise Guide | |
Korstiann Stam (SANS DFIR Summit 2021) | A Holistic Approach to Defending Business Email Compromise (BEC) Attacks | |
M365 Internals | Everything About Service Principals, Applications, And API Permissions | |
M365 Internals | What I Have Learned From Doing A Year Of Cloud Forensics In Azure AD | |
M365 Internals | Incident Response In A Microsoft Cloud Environment | |
M365 Internals | Incident Response Series: Reviewing Data In Azure AD For Investigation | |
M365 Internals | Incident Response Series: Collecting And Analyzing Logs In Azure Ad | |
Microsoft | How automated investigation and response works in Microsoft Defender for Office 365 | |
Microsoft | Incident Response playbooks | |
Brendan Mccreesh | Matching the O365 MachineID to a computer’s MachineGUID |
Description | Author | Link |
---|---|---|
A dataset containing Office 365 Unified Audit Logs for security research and detection. | Invictus Incident Response | O365 Dataset |
Description | Author | Link |
---|---|---|
Megan Roddie | Automating Google Workspace Incident Response | |
Megan Roddie | GSuite Digital Forensics and Incident Response | |
Splunk Threat Research Team | Investigating GSuite Phishing Attacks with Splunk | |
Arman Gungor at Metaspike | Investigating Message Read Status in Gmail & Google Workspace | |
Arman Gungor at Metaspike | Gmail History Records in Forensic Email Investigations | |
Arman Gungor at Metaspike | Google Takeout and Vault in Email Forensics |
Description | Author | Link |
---|---|---|
Kuba Gretzky | Evilginx2 | |
MDSec | o365-attack-toolkit |
Description | Author | Link |
---|---|---|
Automate the security assessment of Microsoft Office 365 environments | Soteria Security | 365Inspect |
Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments | CrowdStrike | CrowdStrike Reporting Tool for Azure (CRT) |
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020 | CISA | Aviary/SPARROW |
The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure. | T0pCyber | Hawk |
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. | Mandiant | Mandiant AzureAD Investigator |
This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API. | Glen Scales | O365 InvestigationTooling |
MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s) | PwC IR | MIA-MailItemsAccessed |
This script makes it possible to extract log data out of an Office365 environment. | JoeyRentenaar | Office 365 Extractor |
Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis. | Fernando Tomlinson | Invoke-AZExplorer |
This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest. | Ian Day | o365AuditParser |
DART AzureAD IR Powershell Module | Microsoft DART | AzureADIncidentResponse |
Magnet AXIOM Cloud | Magnet Forensics | Magnet AXIOM Cloud |
Metaspike Forensic Email Collector | Metaspike | Metaspike Forensic Email Collector |
This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment. | Invictus IR | Blue-team-app-Office-365-and-Azure |
Script to retrieve information via O365 and AzureAD with a valid cred | nyxgeek | o365recon |
A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes. | Darkquasar | AzureHunter |
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. | Phil Hagen at SANS | SOF-ELK |
Description | Author | Link |
---|---|---|
David Cowen, Pierre Lidome, Josh Lemon at SANS | FOR509: Enterprise Cloud Forensics and Incident Response |