invictus-ir/Microsoft-Extractor-Suite invictus-ir/Microsoft-Extractor-Suite

  • Stars
    star
    291
  • Rank 137,547 (Top 3 %)
  • Language
    PowerShell
  • License
    GNU General Publi...
  • Created almost 2 years ago
  • Updated 8 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
invictus-ir/Microsoft-Extractor-Suite
github

invictus-ir

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.

alt text

Getting started with the Microsoft-Extractor-Suite

To get started with the Microsoft-Extractor-Suite, check out the Microsoft-Extractor-Suite docs.

About Microsoft-Extractor-Suite

Microsoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.

The following Microsoft data sources are supported:

  • Unified Audit Log
  • Admin Audit Log
  • Mailbox Audit Log
  • Mailbox Rules
  • Transport Rules
  • Message Trace Logs
  • Azure AD Sign-In Logs
  • Azure AD Audit Logs
  • Registered OAuth applications in Azure AD

Microsoft-Extractor-Suite was created by Joey Rentenaar and Korstiaan Stam and is maintained by the Invcitus IR team.

Usage

To get started with the Microsoft-Extractor-Suite tool, make sure the requirements are met. If you do not have the Connect-ExchangeOnline or/and Connect-AzureAD installed check the installation guide..

The first step is to import the Microsoft-Extractor-Suite:

Import-Module .\Microsoft-Extractor-Suite.psd1

You must sign-in to Microsoft 365 or Azure depending on your use case before running the functions. To sign in, use the cmdlets:

Connect-M365

Connect-Azure

More Repositories

1

Invictus-AWS

Python
163
star
2

ALFA

ALFA stands for Automated Audit Log Forensic Analysis for Google Workspace. You can use this tool to acquire all Google Workspace audit logs and to perform automated forensic analysis on the audit logs using statistics and the MITRE ATT&CK Cloud Framework
Python
130
star
3

Blue-team-app-Office-365-and-Azure

62
star
4

o365_dataset

A dataset containing Office 365 Unified Audit Logs for security research and detection
35
star
5

cobaltstrike

Collection of resources related to Cobalt Strike investigations
9
star
6

macOS

Repository for macOS related security research
7
star
7

aws_dataset

A dataset with CloudTrail events from an attack simulation using Stratus.
7
star
8

gws_dataset

Google Workspace Audit logs containing several attacks
5
star
9

talks

An overview of our talks at security conferences
4
star
10

Email-Forwarding-Rules

A mind map of email forwarding rule evidence in Microsoft 365
1
star
11

kql_queries

KQL queries for Incident Response
1
star
12

Sigma-AWS

This repository contains the research and components of our research into using Sigma for AWS Incident Response.
1
star