Skip to content

Latest commit

 

History

History
177 lines (145 loc) · 9.87 KB

S01E02.md

File metadata and controls

177 lines (145 loc) · 9.87 KB

🐾 S01E02 - The post-person

The message's first stop was the Exchange Online environment of Piesec Corp. In this first season os Spoors, we will not focus on the Exchange Online Protection features or the Microsoft Defender for Office features. So this is somewhat a special episode as in this one, we will look at some of the advanced hunting tables available in the Defender 365 portal.

The investigation could have started from different angles. Here are some examples:

  1. The user reported the email. So we start with the Message-ID (the default reporting options are allowing the user the report the message as a Phishing attempt. Which the message is not, but at least it would bring awareness of the email to the administrators).
  2. We could have spotted weird things being created from an Excel file Ahah-Macro.xlsm and look for mail attachment containing the name or the hash of that file.

If we have the identifier of the message we can look for it in the Advanced Audit logs in the compliance center, from the OfficeActivity table in Sentinel or the activity section in MCAS if it was configured to get the Exchange Online activity.

🔎 We have the message id can we tell if there was an attachment?

Yes. Something along these lines:

EmailEvents
| where InternetMessageId == "<CB2JGuLmZuoy2POL9MECf_KLtKDZWrOKHay-yHd5IMy4k6rN_Fu1K-UgMw3QqwlgvUOQucPivQiww86AjmPXl6xgbbL681C98rFPMJU3qbw=@protonmail.com>"
| join kind=leftouter (
    EmailAttachmentInfo
) on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, FileName, FileSize, SHA256

Will return:

Timestamp SenderFromAddress RecipientEmailAddress Subject DeliveryAction DeliveryLocation FileName FileSize SHA256
Oct 24, 2021 9:36:58 PM [email protected] [email protected] 🎯 Will you open it pretttttty please? Delivered Inbox/folder Ahah-Macro.xlsm 14321 6a45af8da733df25c8625caa983d9c6e60b197b701ab5b369d30f596cf394ca4

📁 We have the file name, can we tell if it was received by email?

If we have the name Ahah-Macro.xlsmAhah-Macro.xlsm or the SHA256 hash 6a45af8da733df25c8625caa983d9c6e60b197b701ab5b369d30f596cf394ca4 we can check where it got delivered with:

EmailAttachmentInfo
| where FileName =~ "Ahah-Macro.xlsm" or SHA256 == "6a45af8da733df25c8625caa983d9c6e60b197b701ab5b369d30f596cf394ca4"
| join kind=leftouter (
    EmailEvents
) on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, FileName, FileSize, SHA256

Will return:

Timestamp SenderFromAddress RecipientEmailAddress Subject DeliveryAction DeliveryLocation FileName FileSize SHA256
Oct 24, 2021 9:37:29 PM [email protected] [email protected] 🎯 Will you open it pretttttty please? Delivered Inbox/folder Ahah-Macro2.xlsm 14321 6a45af8da733df25c8625caa983d9c6e60b197b701ab5b369d30f596cf394ca4
Oct 24, 2021 9:36:58 PM [email protected] [email protected] 🎯 Will you open it please? Delivered Inbox/folder Ahah-Macro.xlsm 14321 6a45af8da733df25c8625caa983d9c6e60b197b701ab5b369d30f596cf394ca4

We can see that bob too has received the message. And we can also see that although the file name is different (Ahah-Macro2.xlsm instead of Ahah-Macro.xlsm) the hash is the same.

❓ Who read the message?

We can see at least two recipients received the message. But have they read it? The next request is querying the OfficeActivity from Microsoft Sentinel to determine if the mail was opened.

OfficeActivity
| where Folders contains "<CB2JGuLmZuoy2POL9MECf_KLtKDZWrOKHay-yHd5IMy4k6rN_Fu1K-UgMw3QqwlgvUOQucPivQiww86AjmPXl6xgbbL681C98rFPMJU3qbw=@protonmail.com>"
| project TimeGenerated, Operation, UserId, MailboxGuid

Will return:

TimeGenerated Operation Operation UserId MailboxGuid
10/25/2021, 3:40:03.000 AM MailItemsAccessed [email protected] d71c21e3-7351-4374-8112-f0b355316a5b

So we can see that Verena has seen the message. And that Bob has not. We can't know if the attachement was downloaded in our case.

If we have eyes on the devices, we could see the file being written on the disk. Interresting fact, with the Outlook client it seems that the attachement get written on the disk even if the user doesn't click save. When the user selects the attachement and clicks and then sees this:

attachment warning

The file is written on the disk in the path defined here: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder which by default seems to be the following path: C:\Users\<USER>\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<SOME RANDOM STRING>\.

Appendix - ❓ Where was the message from?

Here are the message headers:

Received: from YQBPR0101MB4507.CANPRD01.PROD.OUTLOOK.COM
 (2603:10b6:c01:16::20) by YT1PR01MB3212.CANPRD01.PROD.OUTLOOK.COM with HTTPS;
 Fri, 27 Aug 2021 14:13:40 +0000
Received: from CH2PR16CA0018.namprd16.prod.outlook.com (2603:10b6:610:50::28)
 by YQBPR0101MB4507.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:16::20) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.17; Fri, 27 Aug
 2021 14:13:39 +0000
Received: from TO1CAN01FT013.eop-CAN01.prod.protection.outlook.com
 (2603:10b6:610:50:cafe::b8) by CH2PR16CA0018.outlook.office365.com
 (2603:10b6:610:50::28) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.19 via Frontend
 Transport; Fri, 27 Aug 2021 14:13:38 +0000
Authentication-Results: spf=pass (sender IP is 185.70.40.132)
 smtp.mailfrom=protonmail.com; piesec.ca; dkim=pass (signature was verified)
 header.d=protonmail.com;piesec.ca; dmarc=pass action=none
 header.from=protonmail.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of protonmail.com
 designates 185.70.40.132 as permitted sender)
 receiver=protection.outlook.com; client-ip=185.70.40.132;
 helo=mail-40132.protonmail.ch;
Received: from mail-40132.protonmail.ch (185.70.40.132) by
 TO1CAN01FT013.mail.protection.outlook.com (10.152.122.97) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4457.17 via Frontend Transport; Fri, 27 Aug 2021 14:13:38 +0000
Date: Fri, 27 Aug 2021 14:13:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
	s=protonmail; t=1630073616;
	bh=VEhJ3zPZH28J4o3XjLFPxgc1SM55McMhM/XoYjzlqiw=;
	h=Date:To:From:Reply-To:Subject:From;
	b=Hv7EzcUgH8bcshJnYAqQrE36qLzUQslvxg7KhyqJ0Rqv62Zz6BNKc/986D1daZyQi
	 M/LWPKXNJiqIgTi447X/YLfiRdem4lvzbWbt7B3WgysDWfK5h5mCAQpCP7IoVUDEMB
	 rz5+XH3hhADj3J2l4JPYZtQoAxfFKAx5K1gHuFjs=
To: "[email protected]" <[email protected]>
From: =?utf-8?B?8J+lpw==?= <[email protected]>
Reply-To: =?utf-8?B?8J+lpw==?= <[email protected]>
Subject: =?utf-8?Q?=F0=9F=8E=AF_Will_you_open_it_please=3F?=
Message-ID: <CB2JGuLmZuoy2POL9MECf_KLtKDZWrOKHay-yHd5IMy4k6rN_Fu1K-UgMw3QqwlgvUOQucPivQiww86AjmPXl6xgbbL681C98rFPMJU3qbw=@protonmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="b1_0Pq6VzmQxDxplrTZe62VRMSkf6Uk6Xoa4pCBkYcU1M"
X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE
	shortcircuit=no autolearn=disabled version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
	mailout.protonmail.ch
Return-Path: [email protected]
X-MS-Exchange-Organization-ExpirationStartTime: 27 Aug 2021 14:13:38.6946
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 91acff0b-d876-4c5a-9273-08d96964ddb5
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 550a9b78-cb2e-43e0-9c5b-db194784b875:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Organization-AuthSource:
 TO1CAN01FT013.eop-CAN01.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: 91acff0b-d876-4c5a-9273-08d96964ddb5
X-MS-TrafficTypeDiagnostic: YQBPR0101MB4507:
X-MS-Exchange-AtpMessageProperties: SA|SL
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-SafeAttachmentProcessing:
X-MS-Oob-TLC-OOBClassifiers: OLM:1728;
X-MS-Exchange-Organization-ACSExecutionContext: 08/27/2021 14:13:39;08/27/2021
 14:13:39;DropDueToAllKnownVerdict;SC;S;0;01/01/0001 00:00:00;0|0|0|0|;
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-Forefront-Antispam-Report:
 CIP:185.70.40.132;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-40132.protonmail.ch;PTR:mail-40132.protonmail.ch;CAT:NONE;SFS:(4636009)(1096003)(6512007)(2616005)(36736006)(85182001)(166002)(7596003)(3450700001)(118246002)(33964004)(356005)(336012)(6486002)(2160300002)(6916009)(7636003)(6506007)(5660300002)(956004)(58800400005)(26005)(86362001)(36756003)(564344004)(99400200001);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Aug 2021 14:13:38.4377
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 91acff0b-d876-4c5a-9273-08d96964ddb5
X-MS-Exchange-CrossTenant-Id: 550a9b78-cb2e-43e0-9c5b-db194784b875
X-MS-Exchange-CrossTenant-AuthSource:
 TO1CAN01FT013.eop-CAN01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR0101MB4507
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5924616
X-MS-Exchange-Processed-By-BccFoldering: 15.20.4457.023
X-Microsoft-Antispam-Mailbox-Delivery:
	ucf:0;jmr:0;auth:0;dest:I;ENG:(20160514016)(750129)(520011016)(944506458)(944626604);
X-Microsoft-Antispam-Message-Info:
	=?us-ascii?Q?9R+E0iobsMjQXXy/IURZemOoURWfc2KZP5smk93zjbvKn7l7+uk+fs9AnVJa?=
    ...
X-MS-Exchange-Safelinks-Url-KeyVer: 1