This three-part blog series is about Business Email Compromises (BEC) targeting Office 365 environments and our insights as incident responders. The first post can be found here and contains an introduction to BEC attacks and the challenges that often arise in these types of investigations. In this post, we will publish a script that can be used to acquire audit logs from an Office 365 environment. Audit logs are a critical part of BEC investigations, as these can help in determining when an attacker accessed the environment or when a forwarding rule was created. The third post includes information and tips to identify malicious or suspicious behavior in the Office 365 audit logs.

The intent of developing an open source script is to share our knowledge, tooling and experiences of BEC investigations. We hope this can help disrupt these threat actors, contribute to building trust in society, and encourage other organizations to share their knowledge and help those in need of assistance. If you just want to obtain the script follow this link to our GitHub page.

The Unified Audit Log

The aforementioned challenges have inspired us to create a solution for complete and reliable acquisition of the Office 365 Unified Audit Log (UAL). The UAL is a critical piece of evidence in a BEC investigation because it is a centralized source for all Office 365 events. The UAL contains at least 46 categories of data, including events from Azure, Exchange, Sharepoint, OneDrive, and Skype. Microsoft currently offers three methods for viewing and exporting the UAL, which are accomplished through the Security & Compliance Center, the Office 365 Management API, or by using the Search-UnifiedAuditLog cmdlet. Several common limitations when acquiring the UAL include extraction of only 5,000 sorted records or 50,000 unsorted records. In our experience, every BEC investigation has more than 50,000 records, and usually include at least several million. Furthermore, the small amount of extracted records create a repetitive and inefficient process of downloading numerous sets of records into dozens of separate excel files.

Creating a reliable solution

The above methods present inefficiencies for extracting large amounts of historical records, which are necessary for conducting a BEC investigation. The lack of efficient technical solutions is the primary motivation for creating Office 365 Extractor. Office 365 Extractor directly improves on the traditional acquisition methods by efficiently acquiring the complete UAL. Office 365 Extractor addresses the exporting records limit by automatically creating a new session every time the 5,000 sorted record limit is reached. This action continues until the desired amount of records are extracted, which addresses the need to acquire large amounts of historical records.

The overall workflow of investigating a BEC case with Office 365 Extractor is divided into five segments:

Execute script; Determine scope and interval; Choose extraction method and start extraction; Process data; and Analyze data.





The first three segments are discussed below but the segments about processing and analysis are discussed in the next blog post. Let's take a closer look at the first three segments and how they improve the overall process of acquiring the UAL with Office 365 Extractor.

Using Office 365 Extractor

Preparation

There are several preparatory steps that need to be considered before using Office 365 Extractor. The first step is to obtain a Microsoft Office 365 account that includes the Audit Logs or View-Only privileges. These roles by default are assigned to the Compliance Management and Organization Management groups, which possess more privileges than necessary to use Office 365 Extractor. Therefore, it is recommended to create a new user account with only the View-Only Audit Logs or Audit Logs roles enabled. These permissions grant the minimum level of privileges necessary and can be set in the Exchange Admin Center. The next preparatory step involves interaction with Office 365 Extractor.

At the start of an investigation it is often unknown which log sources are available or how many logs exist. This information is required to determine the scope and time interval that is used with Office 365 Extractor. The scope includes the total amount and type of records available and the time period of interest. To determine the scope, choose the first option of the script that indicates the available logging from the 46 different log types.

Then enter a start and end date that is relevant for the investigation. It also necessary to designate a time interval between the start and end dates, which closely reflects the time it takes to reach 5,000 records. The reason for setting a time interval is because Office 365 Extractor addresses the exporting records limit by automatically creating a new session every time the 5,000 record limit is reached. However, regardless if a large or small interval is chosen, the script adapts to the amount of logs in a given time frame and guarantees all logs are extracted. We recommend 60 minutes as a default time interval but this amount may vary based on your investigation. Once the scope and interval are determined, the next step is acquiring the desired record type.

Acquisition

Office 365 Extractor allows a user to extract logs based on three options: all logging, group logging or specific audit logging. Once the specific type is chosen, the script extracts the defined logs to a CSV file(s) in the LogDirectory. The following is an overview of the three acquisition options:

All Logs: extracts all available logs in the Office 365 environment. Since all available logs are extracted, this option is likely to include irrelevant data but it could be relevant for some investigations. Furthermore, the large amount of data increases the time and effort of acquiring, processing and analysing the logs. Group Audit Logs: extracts all data for any available record type. For example, extracting the Exchange group includes data for ExchangeAdmin, ExchangeAggregatedOperation, ExchangeItem, and ExchangeItemGroup. This option produces one larger CSV file containing all of the data for the record type. Specific Audit Logs: extracts individual data sets from the 46 available record types. For example, only extract logs of the ExchangeAdmin from the Exchange record. This is a good option when certain logs are known to be relevant for an investigation. This process can be reproduced for any number of specific logs, which are then written to separate CSV files.

The output files are hashed using the SHA256 algorithm. This allows the audit logs to be used as evidence and maintain a proper chain of custody. Hashing is considered a best practice for digital forensic practitioners because it can reduce the chance of evidence being tampered and prove over time that evidence has not changed.

Conclusion

Office 365 Extractor improves the acquisition process of the Office 365 UAL by automatically creating a new session every time the 5,000 record limit is reached. Furthermore, regardless of the time interval chosen to reach 5,000 records, the script adapts and guarantees all logs are extracted. The script also provides a variety of options for acquiring all or specific record types. All of these characteristics allow for complete and reliable acquisition of the UAL. In the next blog post, we will outline the processing of all output files in a log management solution (e.g. Splunk, Elastic) and the detection of suspicious behavior in the UAL.

If you have any feedback on the script, please feel free to reach out to us directly or check out our GitHub page for a detailed Readme and FAQ.

This blog was written by Korstiaan Stam, Joey Rentenaar and Curtis Hanson working for the Incident Response team @ PwC NL