Apparently, Microsoft broke the API a bit when retiring some of its parts
The Microsoft Extractor Suite broke.
➡️ Workaround:
You can get up to 50.000 events via the Azure Web Portal. So filter for a username or a small timeframe.
⚠️ Note: you cannot download everything via the Web Portal, after 50.000 events, it'll just stop.
Interesting defense against attacks:
Move your SSH authorized_keys to a different location and set the rights to 0444. Then an attacker needs root rights to place an SSH backdoor.
#DFIR #threatintel #Knowledgedrop
Attackers are still actively exploiting firewall "../" vulnerabilities. Be aware and patch your firewalls!
Most organizations do not have multi-factor authentication (MFA) enabled for their Azure service principals.
Why?
You need a special license for every single application you want to enable MFA for.
Watch out with your Azure Automation Account / Runbooks.
Dangerous stuff if not managed correctly!
#cloud #azure #knowledgedrop #dfir #pentesting #privilegeescalation
How to reconstruct OneDrive?
OneDriveExplorer (by @Beercow) can reconstruct OneDrive from <UserCid>.dat or SQLite databases etc.
Check it out:
https://github.com/Beercow/OneDriveExplorer
Today a pentester asked me if attackers really use brute force.
Yes, they do, especially in cloud environments. That's why multi factor authentication (MFA) is so important there.
I hear very often that the cloud is secure because Multi Factor Authentication (MFA) is enabled, so all accounts are secure.
What about the service accounts and the (break glass) global administrator account?
Or in Azure: do you have a conditional access policy that excludes accounts from MFA?
What about MFA phishing with evilginx?
=> Apply a defense-in-depth strategy also in cloud environments.
How to filter zeek logs:
cat conn.log | zeek-cut <columns> | column -t | less -S
(column and less display the columns aligned and readable)
I encountered some third party firewall logs recently. Timestamps were in Linux format and requests in hexdump. We knew the IP range of the attackers and that they uploaded a webshell.
grep is an awesome tool for that. Looking for successful (code 200) uploads (POST requests) from IP:
grep -e "666.666.666.... POST 200" firewall.log > attack.txt
To find the script I searched for the longest request since most legitimate requests were rather short. Word count can give us that with -L:
cat attack.txt | wc -L
1337
And let's extract that longest line with grep:
grep -e "^.{1337}$" attack.txt
Hex requests could then be parsed easily with Cyerchef's From Hex.
Hope that helps someone! Adjust to your needs. :blobsmile:
I noticed today that a lot of people are struggling with antivirus alerts, specifically Microsoft Defender:
1) try to understand the alarm itself and at which point in the attack this would happen: phishing email = early, credential access (especially admin credentials) or suspicious C2 IPs = middle, ransomware/data upload = late.
2) what should be the attackers previous and next step then? (just look at 1 again: early/middle/late)
3) can you see this previous/next step in the logs? Look especially for evidence of execution. Attackers want to "do" something. Executables, scripts, PowerShell, command line, services, scheduled tasks?
If you cannot see any previous or any next steps, ask yourself if you're blind (are your logs empty? Timeframe not available?) or if there really aren't any. If there aren't any, it's likely a false positive. If there are, escalate.
Happy hunting!
Velociraptor tempfile is gone when your SELECT query terminates.
That means if you start with a LET tmp = SELECT ... and continue in your main query, the tempfile is already gone at your main query!
Took me a while today to figure this out...
If using Kubernetes on Azure (AKS), the following logs exist:
Remember to turn on your logs :blobwink:
#dfir #knowledgedrop #networkforensics
Came across this gem again: a nice network analysis framework
https://github.com/arkime/arkime
#DFIR #knowledgedrop #azure #m365
I noticed recently that M365/Azure Personal licenses ("Px") in contrast to Enterprise ("Ex") licenses do not seem to include all logs. E.g. Azure SignIn Logs only exist for 7 days not 90/180 days.
So when combining a M365 Business with a small Azure license, there are hardly any logs.
The most important logfiles in #azure are:
ENABLED by default:
1) Tenant Logs: Sign-In Logs & Audit Logs
2) Subscription Logs: Activity Logs
3) Security Logs (Risky Users)
DISABLED by default:
4) Resource Logs
5) Diagnostic Logs: Operating System Logs
6) Diagnostic Logs: Application Logs
#m365 also has:
7) Unified Audit Log (UAL) - enabled by default
8) (specialized logs for applications like Exchange, SharePoint, etc. - an extract is also in UAL)
If you need to acquire #azure / #m365 logs, be aware that the webUI only allows extracting a small amount.
If you want to extract all the logs, have a look at https://github.com/invictus-ir/Microsoft-Extractor-Suite
You need "global reader" permissions and watch out with conditional access policies - they can block your access and result in really weird error messages (e.g. that the module does not exist).
Most important logs are (usually) SignIn logs and UAL.
#psexec can be detected by .key files:
"Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]
#Windows #activedirectory #dfir #knowledgedrop
I learned today that depending how you access your network shares, it triggers different protocols:
\\IP => NTLM
\\servername => NTLM
\\FQDN => Kerberos
PS: for everyone who doesn't know Windows protocols: NTLM is less secure and an easier target for attackers.
There's a new'ish #linux tool similar to #sysmon by @0xrawsec from @circl
https://why.kunai.rocks/
(see also @kunai_project )
PS: it is written in #rust :blobwink:
