#dfir #knowledgedrop #networkforensics
Came across this gem again: a nice network analysis framework
https://github.com/arkime/arkime
#DFIR #knowledgedrop #azure #m365
I noticed recently that M365/Azure Personal licenses ("Px") in contrast to Enterprise ("Ex") licenses do not seem to include all logs. E.g. Azure SignIn Logs only exist for 7 days not 90/180 days.
So when combining a M365 Business with a small Azure license, there are hardly any logs.
The most important logfiles in #azure are:
ENABLED by default:
1) Tenant Logs: Sign-In Logs & Audit Logs
2) Subscription Logs: Activity Logs
3) Security Logs (Risky Users)
DISABLED by default:
4) Resource Logs
5) Diagnostic Logs: Operating System Logs
6) Diagnostic Logs: Application Logs
#m365 also has:
7) Unified Audit Log (UAL) - enabled by default
8) (specialized logs for applications like Exchange, SharePoint, etc. - an extract is also in UAL)
If you need to acquire #azure / #m365 logs, be aware that the webUI only allows extracting a small amount.
If you want to extract all the logs, have a look at https://github.com/invictus-ir/Microsoft-Extractor-Suite
You need "global reader" permissions and watch out with conditional access policies - they can block your access and result in really weird error messages (e.g. that the module does not exist).
Most important logs are (usually) SignIn logs and UAL.
#psexec can be detected by .key files:
"Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]
#Windows #activedirectory #dfir #knowledgedrop
I learned today that depending how you access your network shares, it triggers different protocols:
\\IP => NTLM
\\servername => NTLM
\\FQDN => Kerberos
PS: for everyone who doesn't know Windows protocols: NTLM is less secure and an easier target for attackers.
There's a new'ish #linux tool similar to #sysmon by @0xrawsec from @circl
https://why.kunai.rocks/
(see also @kunai_project )
PS: it is written in #rust