• Stars
    star
    240
  • Rank 168,229 (Top 4 %)
  • Language
    PowerShell
  • License
    GNU General Publi...
  • Created almost 4 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PowerShell module for Office 365 and Azure log collection

DFIR-O365RC

Docker Image CI

Table of contents:

  1. Module description
  2. Installation and pre-requisites
  3. Roles and license requirements
  4. Functions included in the module
  5. Files generated

DFIR-O365RC was presented at the SSTIC 2021 (Symposium sur la sécurité des technologies de l'information et des communications). Slides and a recording of the presentation, in french language, are available here.

Module description

The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise and Azure investigations.

The logs are generated in JSON format and retrieved from two main data sources:

The two data sources can be queried from different endpoints:

Data source / Endpoint History Performance Scope Pre-requisites (OS or Azure)
Unified Audit Logs / Exchange Online PowerShell 90 days Poor All Office 365 logs (Azure AD included) None
Unified Audit Logs / Office 365 Management API 7 days Good All Office 365 logs (Azure AD included) Azure App registration
Azure AD Logs / Azure AD PowerShell Preview 30 days Good Azure AD sign-ins and audit events only Windows OS only
Azure AD Logs / MS Graph API 30 days Good Azure AD sign-ins and audit events only None

DFIR-O365RC is a forensic tool, its aim is not to monitor in real time your Office 365 infrastructure: Please use the Office 365 Management API if you want to analyze data in real time with a SIEM.

DFIR-O365RC will fetch data from:

  • Azure AD Logs using the MS Graph API because performance is good, history is 30 days and it works on PowerShell Core.
  • Unified Audit Logs using Exchange online PowerShell despite poor performance, history is 90 days and it works on PowerShell Core.

If you are investigating Exchange Online malicious activity, the Search-O365 function will also fetch the Mailbox Audit Log, using Exchange Online PowerShell.

In case you are also investigating other Azure resources (IaaS, PaaS...) DFIR-O365RC can also fetch data from Azure Activity logs using the Azure Monitor RESTAPI. History is 90 days and it works on PowerShell Core. The Azure Activity log is primarily for activities that occur in Azure Resource Manager.

Additionally you can dump Azure DevOps Activity logs using the Azure DevOps services RESTAPI. History is 90 days and it works on PowerShell Core.

Because all functions can run on PowerShell Core, DFIR-O365RC works also on Linux or Mac, as long as you have have a browser in order to use device login.

Installation and pre-requisites

Manual Installation.

Clone the DFIR-O365RC repository. The tool works on PowerShell Desktop and PowerShell Core.

DFIR-O365 uses Jason Thompson's MSAL.PS and Boe Prox's PoshRSJob modules. To install them run the following commands:

Install-Module -Name MSAL.PS -RequiredVersion '4.21.0.1'
Install-Module -Name PoshRSJob -RequiredVersion '1.7.4.4'

If MSAL.PS module installation fails with the following message:

WARNING: The specified module ‘MSAL.PS’ with PowerShellGetFormatVersion ‘2.0’ is not supported by the current version of PowerShellGet. Get the latest version of the PowerShellGet module to install this module, ‘MSAL.PS’.

Update PowerShellGet with the following commands:

Install-PackageProvider Nuget -Force
Install-Module -Name PowerShellGet -Force

Once both modules are installed, launch a PowerShell prompt and locate your Powershell modules path with the following command:

PS> $env:PSModulePath

Copy the DFIR-O365RC directory in one of your modules path, for example on Windows:

  • %USERPROFILE%\Documents\WindowsPowerShell\Modules
  • %ProgramFiles%\WindowsPowerShell\Modules
  • %SYSTEMROOT%\system32\WindowsPowerShell\v1.0\Modules

Modules path examples on Linux:

  • /home/%USERNAME%/.local/share/powershell/Modules
  • /usr/local/share/powershell/Modules
  • /opt/microsoft/powershell/7/Modules

On PowerShell Core, the installation of the WSMan client might also be required:

Install-Module PSWSMan
Install-WSMan

The DFIR-O365RC module is installed, restart the PowerShell prompt and load the module:

PS> Import-module DFIR-O365RC

Use Docker to run DFIR-O365RC.

Use docker-compose to build the image, run the container and mount a volume to retrieve logs:

sudo docker-compose run dfir-o365rc

The module is ready to use:

PowerShell 7.1.4
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type 'help' to get help.
DFIR-O365RC: PowerShell module for Office 365 and Azure log collection
https://github.com/ANSSI-FR/DFIR-O365RC
Loading personal and system profiles took 854ms.
PS /mnt/host/output>

Roles and license requirements

The user launching the tool should have the following roles:

  • Microsoft 365 role (portal.microsoft.com): Global reader
  • Exchange Online role (outlook.office365.com/ecp): View-Only Audit Logs

In order to retrieve Azure AD sign-ins logs with the MS Graph API you need at least one user with an Azure AD Premium P1 license. This license can be purchased at additional cost for a single user and is sometimes included in some license plans such as the Microsoft 365 Business Premium for small and medium-sized businesses.

If you need to retrieve also the Azure Activity logs you need the Log Analytics Reader role for the Azure subscription you are dumping the logs from.

Finally if you need to collect the Azure DevOps Activity logs you need to grant the Auditing\View audit log permission to the user in the Azure DevOps organization you are dumping the logs from.

Functions included in the module

The module has 9 functions:

Function name Data Source/History Performance Completeness Details
Get-O365Full Unified audit logs/90 days Poor All unified audit logs A subset of logs per record type can be retrieved. Use only on a small tenant or a short period of time
Get-O365Light Unified audit logs/90 days Good A subset of unified audit logs only Only a subset of operations considered of interest is retrieved.
Get-DefenderforO365 Unified audit logs/90 days Good A subset of unified audit logs only Retrieves Defender for Office 365 related logs. Requires at least an E5 license or a license plan such as Microsoft Defender for Office 365 Plan or cloud app security
Get-AADLogs Azure AD Logs/30 days Good All Azure AD logs Get tenant general information, all Azure sign-ins and audit logs. Azure AD sign-ins logs have more information than Azure AD logs retrieved via Unified audit logs.
Get-AADApps Azure AD Logs/30 days Good A subset of Azure AD logs only Get Azure audit logs related to Azure applications and service principals only. The logs are enriched with application or service principal object information.
Get-AADDevices Azure AD Logs/30 days Good A subset of Azure AD logs only Get Azure audit logs related to Azure AD joined or registered devices only. The logs are enriched with device object information.
Search-O365 Unified audit logs/90 days Depends on the query A subset of unified audit logs only Search for activity related to a particular user, IP address or use the freetext query. When searching user activity this cmdlet will also fetch the Mailbox Audit Log
Get-AzRMActivityLogs Azure Activity logs/90 days Good All Azure Activity logs Get all Azure activity logs for a given subscription or on every subscription the account running the function has access to
Get-AzDevOpsActivityLogs Azure DevOps Activity logs/90 days Good All Azure DevOps Activity logs Get all Azure DevOps activity logs for a given DevOps organization or on every DevOps organization the account running the function has access to

When querying Unified audit logs you are limited to 3 concurrent Exchange Online Powershell sessions. DFIR-O365RC will try to use all available sessions, please close any existing session before launching the log collection.

Each function as a comment based help which you can invoke with the get-help cmdlet.

#Display comment based help
PS> Get-help Get-O365Full
#Display comment based help with examples
PS> Get-help Get-O365Full -examples

Each function takes as a parameter a start date and an end date.

In order to retrieve Azure AD audit logs, sign-ins logs from the past 30 days and tenant information launch the following command:

$enddate = get-date
$startdate = $enddate.adddays(-30)
Get-AADLogs -startdate $startdate -enddate $enddate

In order to retrieve enriched Azure AD audit logs related to Azure applications and service principals from the past 30 days launch the following command:

$enddate = get-date
$startdate = $enddate.adddays(-30)
Get-AADApps -startdate $startdate -enddate $enddate

In order to retrieve enriched Azure AD audit logs related to Azure AD joined or registered devices from the past 30 days launch the following command:

$enddate = get-date
$startdate = $enddate.adddays(-30)
Get-AADDevices -startdate $startdate -enddate $enddate

In order to retrieve all unified audit logs considered of interest from the past 30 days, except those related to Azure AD, which were already retrieved by the first command, launch:

$enddate = get-date
$startdate = $enddate.adddays(-30)
Get-O365Light -startdate $startdate -enddate $enddate -Operationsset "AllbutAzureAD"

In order to retrieve all unified audit logs considered of interest in a time window between -90 days and -30 days from now launch the following command:

$enddate = (get-date).adddays(-30)
$startdate = (get-date).adddays(-90)
Get-O365Light -StartDate $startdate -Enddate $enddate -Operationsset All

If mailbox audit is enabled and you want also to retrieve Mailboxlogin operations you can use the dedicated switch, on large tenants beware of a 50.000 events per day limit retrieval.

Get-O365Light -StartDate $startdate -Enddate $enddate -Operationsset All -MailboxLogin $true

If there are users with Enterprise 5 licenses or if there is a Microsoft Defender for Office 365 Plan you can retrieve Microsoft Defender related logs with the following command:

$enddate = get-date
$startdate = $enddate.adddays(-90)
Get-DefenderforO365 -StartDate $startdate -Enddate $enddate

To retrieve all Exchange Online related records from the unified audit logs between Christmas eve and Boxing day, beware that performance might be poor on a large tenant:

$startdate = get-date "12/24/2020"
$enddate = get-date "12/26/2020"
Get-O365Full -StartDate $startdate -Enddate $enddate -RecordSet ExchangeOnly

You can use the search function to look for IP addresses, activity related to specific users or perfrom a freetext search in the unified audit logs:

$enddate = get-date
$startdate = $enddate.adddays(-90)
#Retrieve events using the Exchange online Powershell AppId
Search-O365 -StartDate $startdate -Enddate $enddate -FreeText "a0c73c16-a7e3-4564-9a95-2bdf47383716"

#Search for events related to the X.X.X.X and Y.Y.Y.Y IP adresses, argument is a string separated by comas.
Search-O365 -StartDate $startdate -Enddate $enddate -IPAddresses "X.X.X.X,Y.Y.Y.Y"

#Retrieve events related to users [email protected] and [email protected] , argument is a system.array object
Search-O365 -StartDate $startdate -Enddate $enddate -UserIds "[email protected]", "[email protected]"

When searching for specific users, Search-O365 will also search in the Mailbox Audit Log. Because depending on the user's licence level and settings, audit logs might not be present in the unified audit logs.

To retrieve all Azure Activity logs the account has access to, launch the following command, available subscriptions will be displayed:

$enddate = get-date
$startdate = $enddate.adddays(-90)
Get-AzRMActivityLogs -StartDate $startdate -Enddate $enddate

To retrieve all Azure DevOps Activity logs the account has access to, launch the following command, available Azure DevOps organizations will be displayed:

$enddate = get-date
$startdate = $enddate.adddays(-90)
Get-AzDevOpsActivityLogs -StartDate $startdate -Enddate $enddate

When using PowerShell Core the authentication process will require a device code, you will need to use the devicecode parameter and launch your browser, open the https://microsoft.com/devicelogin URL and enter the code provided by the following message:

PS> Get-O365Light -StartDate $startdate -Enddate $enddate -DeviceCode:$true
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXX to authenticate.

Files generated

All files generated are in JSON format.

  • Get-AADApps creates a file named AADApps_%FQDN%.json in the azure_ad_apps folder where FQDN is the domain name part of the account used to collect the logs.
  • Get-AADDevices creates a file named AADDevices_%FQDN%.json in the azure_ad_devices folder.
  • Get-AADLogs creates folders named after the current date using the YYYY-MM-DD format in the azure_ad_signin folder, in each directory a file called AADSigninLog_%FQDN%_YYYY-MM-DD_HH-00-00.json is created for Azure AD sign-ins logs. A folder azure_ad_audit is also created and results are dumped in files named AADAuditLog_%FQDN%_YYYY-MM-DD.json for Azure AD audit logs. Finally a folder called azure_ad_tenant is created and the general tenant information written in a file named AADTenant_%FQDN%.json.
  • Get-AzRMActivityLogs creates folders named after the current date using the YYYY-MM-DD format in the azure_rm_activity folder, in each directory a file called AzRM_%FQDN%_%SubscriptionID%_YYYY-MM-DD_HH-00-00.json is created where %SubscriptionID% is the Azure subscription ID. A folder called azure_rm_subscriptions is created and each subscription information written in a file named AzRMsubscriptions_%FQDN%.json.
  • Get-AzDevOpsActivityLogs creates folders named after the current date using the YYYY-MM-DD format in the azure_DevOps_activity folder, in each directory a file called AzDevOps_%FQDN%_%DevOpsOrganizationname%_YYYY-MM-DD_HH-00-00.json is created where %DevOpsOrganizationname% is the Azure DevOps organization name. A folder called azure_DevOps_orgs is created and each azure DevOps organization information written in a file named *AzdevopsOrgs_%FQDN%.json.
  • Get-O365Full creates folders named after the current date using the YYYY-MM-DD format in the O365_unified_audit_logs, in each directory a file called UnifiedAuditLog_%FQDN%_YYYY-MM-DD_HH-00-00.json is created.
  • Get-O365Light creates folders named after the current date using the YYYY-MM-DD format in the O365_unified_audit_logs, in each directory a file called UnifiedAuditLog_%FQDN%_YYYY-MM-DD.json is created.
  • Get-DefenderforO365 creates folders named after the current date using the YYYY-MM-DD format in the O365_unified_audit_logs, in each directory a file called UnifiedAuditLog_%FQDN%_YYYY-MM-DD_DefenderforO365.json is created.
  • Search-O365 creates folders named after the current date using the YYYY-MM-DD format in the O365_unified_audit_logs, in each directory a file called UnifiedAuditLog_%FQDN%YYYY-MM-DD%searchtype%.json is created, where searchtype can have the values "Freetext", "IPAddresses" or "UserIds". MailboxAuditLog_%FQDN%_YYYY-MM-DD_UserIds.json files can also be created when investigating activity from users.

Launching the various functions will generate a similar directory structure:

DFIR-O365_Logs
│   Get-AADApps.log
│   Get-AADDevices.log
│   Get-AADLogs.log
|   Get-AzRMActivityLogs
│   Get-DefenderforO365.log
│   Get-O365Light.log    
│   Search-O365.log
└───azure_ad_apps
│    │   AADApps_%FQDN%.json
└───azure_ad_audit
│    │   AADAuditLog_%FQDN%_YYYY-MM-DD.json
│    │   ...
└───azure_ad_devices
│    │   AADDevices_%FQDN%.json 
└───azure_ad_signin
│   │
│   └───YYYY-MM-DD
│       │   AADSigninLog_%FQDN%_YYYY-MM-DD_HH-00-00.json
│       │   ...
└───azure_ad_tenant
│    │   AADTenant_%FQDN%.json
└───azure_rm_activity
│   │
│   └───YYYY-MM-DD
│       │   AzRM_%FQDN%_%SubscriptionID%_YYYY-MM-DD_HH-00-00.json
│       │   ...
└───azure_rm_subscriptions
│    │   AzRMsubscriptions_%FQDN%.json
└───azure_DevOps_activity
│   │
│   └───YYYY-MM-DD
│       │   AzDevOps_%FQDN%_%DevOpsOrganisationname%_YYYY-MM-DD_HH-00-00.json
│       │   ...
└───azure_DevOps_orgs
│    │   AzdevopsOrgs_%FQDN%.json
└───O365_unified_audit_logs
│   │
│   └───YYYY-MM-DD
│       │   UnifiedAuditLog_%FDQN%_YYYY-MM-DD.json
│       │   UnifiedAuditLog_%FQDN%_YYYY-MM-DD_freetext.json
│       │   MailboxAuditLog_%FQDN%_YYYY-MM-DD_UserIds.json
│       │   UnifiedAuditLog_%FQDN%_YYYY-MM-DD_DefenderforO365.json
│       │   UnifiedAuditLog_%FQDN%_YYYY-MM-DD_HH-00-00.json
│       │   ...

More Repositories

1

AD-control-paths

Active Directory Control Paths auditing and graphing tools
C
650
star
2

rust-guide

Recommendations for secure applications development with Rust
Shell
591
star
3

ADTimeline

Timeline of Active Directory changes with replication metadata
PowerShell
466
star
4

bmc-tools

RDP Bitmap Cache parser
Python
465
star
5

polichombr

Collaborative malware analysis framework
Python
373
star
6

MLA

Multi Layer Archive - A pure rust encrypted and compressed archive file format
Rust
322
star
7

SecuML

Machine Learning for Computer Security
Python
271
star
8

libecc

Library for elliptic curves cryptography
C
258
star
9

ORADAD

Outil de récupération automatique des données de l'Active Directory / Automated tool for dumping Active Directory data
C++
215
star
10

SmartPGP

SmartPGP is a JavaCard implementation of the OpenPGP card specifications
Java
178
star
11

ASCAD

Side Channels Analysis and Deep Learning
Python
174
star
12

cry-me

CRY.ME (CRYptographic MEssaging application)
Kotlin
168
star
13

ultrablue

User-friendly Lightweight TPM Remote Attestation over Bluetooth
Kotlin
163
star
14

ctf

Epreuves de sélection de la TeamFR pour l'ECSC 2019.
Python
156
star
15

AD-permissions

Active Directory permissions (ACL/ACE) auditing tools
PHP
144
star
16

DFIR4vSphere

Powershell module for VMWare vSphere forensics
PowerShell
138
star
17

tabi

BGP Hijack Detection
Python
109
star
18

bootcode_parser

A boot record parser that identifies known good signatures for MBR, VBR and IPL.
Python
97
star
19

SysvolExplorer

Active Directory Group Policy analyzer
C++
94
star
20

Binacle

Full-bin indexation of binary files
Rust
92
star
21

audit-radius

A RADIUS authentication server audit tool
Python
79
star
22

AnoMark

Algorithme d'apprentissage statistique permettant de créer un modèle sur les lignes de commandes des évènements "Création de Processus", afin de détecter des anomalies dans les évènements futurs
Python
78
star
23

bits_parser

Extract BITS jobs from QMGR queue and store them as CSV records
Python
73
star
24

route_leaks

BGP Route Leaks Detection
Python
69
star
25

transdep

Discover SPOF in DNS dependency graphs
Go
67
star
26

SecAESSTM32

Bibliothèque C et assembleur permettant le chiffrement/déchiffrement AES-128 de messages pour des composants grand public (famille STM32F3/STM32F4)
C
67
star
27

x509-parser

a RTE-free X.509 parser
C
58
star
28

guide-journalisation-microsoft

Guide journalisation Microsoft
PowerShell
56
star
29

mabo

MRT Parser
OCaml
46
star
30

chipsec-check

Tools to generate a Debian Linux distribution with chipsec to test hardware requirements
Shell
45
star
31

lidi

Transfer a raw TCP or Unix stream or files through a unidirectional link with forward error correction
Rust
44
star
32

shovel

Web interface to explore Suricata EVE outputs
JavaScript
38
star
33

picon

Picon
C
38
star
34

nogaxeh

Tools for analyzing hexagon code
C++
38
star
35

secAES-ATmega8515

Secure AES128 Encryption Implementation for ATmega8515
Assembly
34
star
36

OVALI

Generic graph exploration, manipulation and visualization tool (Outil de Visualisation et Analyse de Liens Inter-objets)
JavaScript
34
star
37

Open-ISO7816-Stack

This project aims to provide an open-source implementation of the ISO7816-3 communication protocol from the reader side. This protocol is ruling the interactions between a smartcard and a card-reader when using its contacts to communicate
C
33
star
38

packetweaver

A Python framework for script filing and task sequencing
Python
26
star
39

IPECC

A VHDL IP for ECC (Elliptic Curve Cryptography) hardware acceleration
VHDL
26
star
40

ADCP-DirectoryCrawler

AD-control-paths LDAP submodule
C
18
star
41

WAAD

Détection d'anomalie à partir des journaux d'authentification Windows
Python
17
star
42

cardstalker

CardStalker provides a UART-driven smartcard reader at the T=1 (see ISO7816-3) level (link and physical layer), where most of the smartcard reader devices on the market are only providing an APDU interface (application layer).
C
17
star
43

sftp2misp

Automation script to download JSON MISP files from a SFTP server and import them via API to a MISP instance.
Python
15
star
44

mdbook-checklist

mdbook preprocessor for generating checklists and indexes
Rust
13
star
45

cornetto

Outil de gestion de version statique de site web
JavaScript
10
star
46

pciemem

Linux kernel module for driving an USB3380 board, exposing a /dev/pciemem device node on the analysis machine representing the physical memory of the machine under test
C
10
star
47

ORADAZ

Outil de récupération automatique des données AZure / Automated tool for dumping Azure configuration data
Rust
10
star
48

xsvgen

XML Schema Validator Generator
OCaml
10
star
49

ProTIP

ProTIP permet de caractériser la connectivité réelle entre composants d'une architecture PCI Express
Prolog
9
star
50

coq-prelude

General-purpose monad typeclass hierarchy for Coq
Coq
8
star
51

scep

Security Contexts for Enhanced Protection Linux Security Module
C
7
star
52

libdrbg

A portable library implementing NIST SP 800-90A DRBGs
C
7
star
53

Faults_analyzer

Logiciel d'analyse de campagnes de perturbations sur composants
Python
6
star
54

hackropole-hugo

A Hugo theme to host Capture-The-Flag (CTF) challenges as a static website like hackropole.fr.
HTML
6
star
55

caradoc

A PDF parser and validator
6
star
56

WSUS_Audit

Auditing scripts for WSUS infrastructures
6
star
57

DroidWorks

Rust
5
star
58

libapn

libapn is a header-based C++ library developed to study vectorial Boolean functions, including but not limited to APN functions.
C++
5
star
59

pycrate

A Python library to ease the development of encoders and decoders for various protocols and file formats; contains ASN.1 and CSN.1 compilers.
5
star
60

ADCP-libdev

AD-control-paths libraries submodule
C
5
star
61

caml-crush

Caml Crush: an OCaml PKCS#11 filtering proxy
3
star
62

Faults_experiments

Résultats bruts de campagnes de perturbation de composants réalisées par le laboratoire de sécurité des composants de l'ANSSI
Python
2
star
63

eurydice

A user-friendly solution to transfer files through a physical diode using the Lidi utility, complete with data retention, file history, user accounts and admin management. Provides a scriptable API and a web interface.
2
star
64

DECODE

Malware detection tool for Windows PE files based on DFIR ORC data
Python
2
star
65

scantru

Non-Profiled Side Channel Analysis on NTRU
Jupyter Notebook
1
star
66

concerto

Toolset to analyse TLS datasets
1
star
67

opkcs11-tool

opkcs11-tool: managing and operating PKCS #11 security tokens in OCaml
1
star