Microsoft Office 365 Incident Response using the Microsoft Graph Security API

Microsoft Office 365 Incident Response using the Microsoft Graph Security API

During an incident, you want to do your analysis as quickly and as precisely as possible. Although there are many scripts available to do proper research within Microsoft 365, if you are working with Exchange Online, OneDrive, SharePoint, they all need separate modules. Not to mention that Exchange Online sometimes need multiple modules depending on what data you want to extract. Using numerous modules can be a pain due to numerous logins that are required.

I wanted to create a ‘One ring to rule them all’ for any incident response within Microsoft 365, which is Operating System independent, runs natively on Windows, and works with or without Multi-Factor Authentication. PowerShell runs on Linux, macOS, natively on Windows, and it happens to be a language I somewhat understand.

Since many Microsoft security products and services connect to the Microsoft Graph Security API, I have chosen to use PowerShell in combination with the Microsoft Graph Security API.

App Registration

To communicate to the Microsoft Graph Security API, you need an app registration. If you create an app registration, be sure you select the Microsoft graph and Application Permissions.

Note: During the application registration, write down the application ID, the client secret, and the tenant name.

Azure AD API Permissions Microsoft Graph
Azure AD Permissions Applications Permissions

Add the following API permissions.

    Directory.Read.All
    Directory.ReadWrite.All
    IdentityRiskyUser.Read.All
    Policy.Read.All
    SecurityEvents.Read.All
    DelegatedPermissionGrant.ReadWrite.All
    AuditLog.Read.All
    Mail.Read
    MailboxSettings.Read

Research Questions

The idea of answering a research question is to run a function, export the outcome to a JSON file, and filter the JSON file if needed. The sign-in logs, for example, contain a lot of information. Using your favorite tool, you can extract what research question you would like to answer. The export includes the location of the login. A simple query makes it possible to filter all logins outside the company’s country to get an overview of potential malicious logins.

thalpiusGetAccessToken

The first thing you need to do is getting a token using the app registration you created previously.

thalpiusGetAccessToken -appId 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' -appSecret 'XXXXXXXX' -tenantName "thalpius.onmicrosoft.com"

Once you have a token, you can use the functions described below.

Note: The token expires in one hour. I have not had this issue myself that a function runs more than an hour, but I am looking to add a refresh token to the script. You can always request a new token described above, which is valid for another hour.

thalpiusGetSkus

The first thing to look for is licenses. If the tenant contains an Office 365 Advanced Threat Protection license, it helps during the investigation. Or if the tenant contains an Azure AD Premium license, you know the logs in Azure AD go back one month instead of seven days.

I recommend starting with an output of the licenses to see what tools can help during the investigation.

thalpiusGetSkus

thalpiusGetAcceptedDomains

Accepted domains are used in the tenant to sent and receive e-mail. The function thalpiusGetAcceptedDomains can extract all accepted domains within the tenant.

Getting all accepted domains is helpful to validate which domain names accept e-mail within the tenant.

thalpiusGetAcceptedDomains

thalpiusGetAcceptedDomainsTxtRecords

Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are configurations to lower incoming phishing e-mail delivered in the inbox of the user. To validate the SPF and DKIM record, the function thalpiusGetAcceptedDomainsTxtRecords is used. An export is made of all TXT record for all accepted domains.

thalpiusGetAcceptedDomainsTxtRecords

thalpiusGetInboxRules

Many attackers create inbox rules for persistence or hiding footprints. With the function thalpiusGetInboxRules you can export all inbox rules within the tenant or for a particular user.

thalpiusGetInboxRules
thalpiusGetInboxRules -userPrincipalName user@thalpius.com

thalpiusGetSignins

The thalpiusGetSignins functions export all Azure AD sign-ins within the tenant or for a particular user. The sign-in logs contain a lot of information like the user-agent, location of the sign-in, etc.

thalpiusGetSignins
thalpiusGetSignins -userPrincipalName user@thalpius.com

thalpiusGetAuditLogs

The thalpiusGetAuditLogs functions export all Azure AD audit logs within the tenant or for a particular user.

thalpiusGetAuditLogs
thalpiusGetAuditLogs -userPrincipalName user@thalpius.com

thalpiusGetEmailBySubject

The function thalpiusGetEmailBySubject searches for any e-mail with a given subject.

thalpiusGetEmailBySubject -subject "thalpius"

thalpiusGetEmailByBody

The function thalpiusGetEmailByBody searches for any e-mail with a given keyword in the body of the e-mail.

thalpiusGetEmailByBody -bodyKeyword "thalpius"

thalpiusGetAttachments

This function gives you the ability to extract attachments to check if it is malicious. It exports all attachments from a user’s mailbox or extracts the attachment itself if you use the attachmentId. The attachment is Base64 encoded. Decode the encoded string in the output to get the binary.

thalpiusGetAttachments -userPrincipalName user@thalpius.com
thalpiusGetAttachments -userPrincipalName user@thalpius.com -extension ".zip"
thalpiusGetAttachments -userPrincipalName user@thalpius.com -attachmentId XXXX-XXXXXX-XXXX

thalpiusGetAllAppRegistrations

In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information and e-mail. This function exports all app registrations within the tenant, including the owner.

thalpiusGetAllAppRegistrations

thalpiusOutputArray

Every function adds the data to an array. Once you are done running all functions you think you need, thalpiusOutputArray creates a JSON file with all data. You can filter the data if needed using your favorite scripting language.

thalpiusOutputArray -outputLocation 'c:\users\thalpius\incidentResponse\output.json'

Conclusion

Check out the script on my GitHub page. If you are missing any research questions, please let me know or add a GitHub issue and I will do my best to add it to the script.

Note: Do not forget to remove the Microsoft Graph Security API permissions once the investigation is completed.

Microsoft 365 Top 5 Security Best Practices

Microsoft 365 Top 5 Security Best Practices

According to Microsoft, using Multi-Factor Authentication reduces 99,9% of account compromise attacks within Microsoft 365. Many companies know Multi-Factor Authentication is the right security solution, but what about other security measures?

Here are my top five security measures any company needs to take within Microsoft 365. I even made a downloadable infographic about it.

Infographic

Security Awareness

I want to start by saying that security awareness could easily be number one. I wanted to create a technical top five, but I can not miss out on security awareness as it is essential within any company.

Any given employee needs to be able to identify a threat. Security awareness training helps raise employees’ awareness to identify risks, and the employee then knows what to do when it comes to handling the threat or who to contact.

Security Operations Center

One of the most significant benefits of having a Security Operations Center (SOC) is twenty-four seven monitoring. Hackers do not have a nine to five mentality nor work from Monday till Friday. Is there a follow-up on a security threat on a Saturday at ten PM, or do you have to wait for employees to complain on Monday that they can not access their data due to ransomware? Monitoring your environment twenty-four seven is crucial within any company.

SPF, DKIM and DMARC

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are configurations to lower incoming phishing e-mail delivered in the inbox of the user. It is relatively easy to implement and does not come with additional costs. Since a lot of attacks use phishing, implementing SPF, DKIM, and DMARC is a must.

Multi-Factor Authentication and Legacy Authentication

Multi-Factor Authentication and Legacy Authentication go hand in hand since Legacy Authentication does not support Multi-Factor Authentication. So implementing Multi-Factor Authentication is not enough as Legacy Authentication should be disabled as well.

According to Microsoft, more than 99 percent of password spray attacks use legacy authentication protocols, and using Multi-Factor Authentication reduces 99,9% of the attacks within Microsoft Office 365.

In combination with secure awareness, Multi-Factor Authentication and disabling Legacy Authentication is a must within any Microsoft 365 environment.

Conclusion

There are many security measures a company can take. In my opinion, these are the five minimum Microsoft 365 security measures every company needs to take.