Listen to this Post
👉 My process:
- Pull the last 100 unique IPs that the account signed in from over the last 90 days. Use tools like IPInfo or internal TIPs like OpenCTI to determine if any of those logins track back to proxies, VPNs, or data centers. If yes, check if the activity records associated with those suspicious IPs look like typical Threat Actor (TA) behaviors or normal user activity.
2. Get to know the user:
- Where do they normally log in from?
- What are their expected user agents?
- Is the device managed by Intune?
- How many operations do they average per week historically?
- Who do they talk to normally?
- When do they typically work?
- What apps do they typically interact with?
3. Check Entra Audit Logs:
- Did the user account have any Self-Service Password Resets, new Entra Authentication methods, or other recent account changes?
4. Assess the activity patterns:
- Can you confidently say, “This looks suspicious as hell” based on the activity patterns in steps 1-3?
- Threat Actors don’t typically behave like normal employees. They search, maintain access, exfiltrate data, and send intentional lures to other accounts.
If your answers to steps 1-4 indicate a 66%+ likelihood that the account is compromised, it’s time to pull the Unified Audit Logs (UAL) for that user account and investigate further using tools like Microsoft Extractor Suite, Hawk, ADXFlowmaster, Microsoft Analyzer Suite, or any relevant GitHub repo.
What Undercode Say
Investigating M365 accounts requires a combination of technical expertise, critical thinking, and the right tools. Here are some commands and practices to help you get started:
1. Extracting IP Logs:
- Use PowerShell to extract sign-in logs:
Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '[email protected]'" -Top 100
- Analyze IPs using `curl` and IPInfo:
curl ipinfo.io/<IP_ADDRESS>
2. User Agent Analysis:
- Use `jq` to parse user agent strings from logs:
cat signin_logs.json | jq '.userAgent'
3. Intune Device Management:
- Check if a device is managed by Intune:
Get-MsolDevice -DeviceId <DEVICE_ID> | Select-Object IsManaged
4. Entra Audit Logs:
- Retrieve audit logs for password resets:
Get-AzureADAuditDirectoryLogs -Filter "ActivityDisplayName eq 'Reset password'"
5. Unified Audit Logs (UAL):
- Export UAL for a specific user:
Search-UnifiedAuditLog -UserIds "[email protected]" -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date)
6. Threat Hunting with Hawk:
- Install and run Hawk for M365 investigations:
git clone https://github.com/T0pCyber/hawk.git cd hawk python3 hawk.py --user [email protected]
7. Data Exfiltration Detection:
- Monitor large file downloads:
Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq '[email protected]' and AppDisplayName eq 'OneDrive'"
8. Automation with LLM Agents:
- Use Python to automate log analysis:
import pandas as pd logs = pd.read_json('signin_logs.json') suspicious_ips = logs[logs['ip'].apply(lambda x: is_suspicious(x))] print(suspicious_ips)
9. Critical Thinking:
- Always cross-verify findings with multiple tools and data sources. For example, if an IP is flagged as suspicious, cross-check it with threat intelligence feeds like AlienVault OTX or VirusTotal.
10. Conclusion:
- Investigating M365 accounts is a multi-step process that involves technical analysis, user behavior understanding, and the use of specialized tools. By following the outlined steps and utilizing the provided commands, you can effectively identify and mitigate potential security threats. Always remember to document your findings and share insights with your team to improve overall security posture.
Relevant URLs:
References:
Hackers Feeds, Undercode AI
