hiddenillusion

rule test_yara_rule
{
  strings:
    $0 = "Command" nocase wide ascii
    $1 = "Windows" nocase wide ascii
  condition:
    any of them
}

hiddenillusion

Visualization

Name/Link	Description/Purpose	Tags
beagle	Transforms data sources and logs into graphs.	fireeye:hx, win:evtx

Helpers

• EVTX logs

hiddenillusion

TOTAL_EXPECTED_FILES=$1
INGESTED=`find /path/to/logs -type f | wc -l`
PERCENTAGE=`echo $INGESTED/$TOTAL_EXPECTED_FILES*100 | bc -l`
echo $INGESTED" / "$TOTAL_EXPECTED_FILES" ( "$PERCENTAGE"% )"

CLI:

hiddenillusion

Application IDs withing the UAL

Application Name	ID
Global PowerShell	1b730954-1685-4b74-9bfd-dac224a7b894
Microsoft.Azure.ActiveDirectory	00000002-0000-0000-c000-000000000000
Microsoft.Azure.AnalysisServices	00000009-0000-0000-c000-000000000000
Microsoft.Azure.Workflow	00000005-0000-0000-c000-000000000000
Microsoft Office Client Service	0f698dd4-f011-4d23-a33e-b36416dcb1e6
Microsoft.Exchange	00000002-0000-0ff1-ce00-000000000000

hiddenillusion

If you have an Office 365 E3 or E5 business subscription, it includes security and compliance tools. In that case, you have access to these additional roles: Compliance administrator, eDiscovery Manager, Organization management, Reviewer, Security Administrator, Security Reader, Service Assurance User, Supervisory Review.

• https://support.office.com/en-us/article/about-office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d

hiddenillusion

Web logs

• User-Agent is rare
• User-Agent is new
• Domain is rare
• Domain is new
• High frequency of http connections
• URI is same
• URI varies but length is constant
• Domain varies but length is constant
• Missing referrer

hiddenillusion

Term	Description	Link(s)
Alias	Another email address that people can use to email
App Password	An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
Alternate email address	Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users
AuditAdmin
AuditDelegate
Delegate	An account with assigned permissions to a mailbox.
Display Name	Name that appears in the Address Book & on the TO and From lines on an email.
EAC	"Exchange Admin Center"

hiddenillusion

• https://github.com/CherryHealth/Systems/blob/03d565b9f5c9dc89789158233e1bbf0ed3293830/Office365/LoginOlderThan30Days.ps1
• https://github.com/rorican4040/AllTheScripts/blob/f312f10b7d61837ec4d973d3ce7860becb247308/GetSharedMailboxes.ps1
• https://github.com/dmali777/DailyUse-PowershellScripts/blob/df50e3f0d0e32cc373d6d721f8692b33aa5eaed7/GetInboxRules.ps1
• https://github.com/seth2000/PSGetUserLogonTimeFromAD/blob/718cda33e88b3e692f660449f82604451f48f1e2/PSGetUserLogonTimeFromAD/Get%20a%20list%20of%20Mailboxes%20with%20sizes%20and%20sorted%20by%20size.ps1
• https://github.com/rravenhill/exchangescripts/blob/d1179d52b5be09c40edb99a2ce0c62ce409e90dd/export-forwards.ps1
• https://support.microsoft.com/en-us/help/4021960/how-to-use-mailbox-audit-logs-in-office-365

hiddenillusion

X-TENSIONS

• https://www.x-ways.net/forensics/x-tensions/api.html
• https://github.com/chadgough/x-tensions
• http://www.4discovery.com/our-tools/
• https://www.gaijin.at/en/xtmultifilefinder.php
• https://gist.github.com/danzek/deb2760e345bbd0a2404
• https://github.com/jp-slackspace/x-tension-c-sharp
• https://github.com/forensenellanebbia/xways-forensics
• https://github.com/Ogni75/XWFHashExport

hiddenillusion

AWS

Configuration

• No U2F available
• AWS Organizations | Notes on configuring aws organizations

Terminology

Term | Meaning | Notes