Repository of attack and defensive information for Business Email Compromise investigations
- ATT&CK O365
- ATT&CK Azure
- Microsoft Azure Threat Research Matrix
- Microsoft 365 Licensing
- Microsoft Portals
- Azure App IDs
Author | Link |
---|---|
NCSC Ireland | Office 365 Secure Configuration Framework |
CISA | Microsoft Office 365 Security Recommendations |
Description | Author | Link |
---|---|---|
A dataset containing Office 365 Unified Audit Logs for security research and detection. | Invictus IR | O365 Dataset |
Simulated activity within the Microsoft 365 platform exported using Microsoft Extractor Suite | blueteam0ps | det-eng-samples |
Description | Author | Link |
---|---|---|
Megan Roddie (SANS DFIR Summit 2021) | Automating Google Workspace Incident Response | |
Megan Roddie (BSides SATX) | GSuite Digital Forensics and Incident Response | |
Splunk Threat Research Team | Investigating GSuite Phishing Attacks with Splunk | |
Arman Gungor at Metaspike | Investigating Message Read Status in Gmail & Google Workspace | |
Arman Gungor at Metaspike | Gmail History Records in Forensic Email Investigations | |
Arman Gungor at Metaspike | Google Takeout and Vault in Email Forensics | |
Megan Roddie at SANS | Prevent, Detect, Respond An Intro to Google Workspace Security and Incident Response | |
Korstiaan Stam (SANS DFIR Summit 2022) | Detecting Malicious Actors in Google Workspace | |
Invictus IR | Automated Forensic analysis of Google Workspace |
Description | Author | Link |
---|---|---|
A dataset containing Google Workspace Logs for security research and detection. | Invictus Incident Response | GWS Dataset |
Author | Link |
---|---|
MDSec | o365-attack-toolkit |
Daniel Chronlund | Microsoft 365 Data Exfiltration – Attack and Defend |
Mauricio Velazco | msInvader |
Author | Link |
---|---|
Kuba Gretzky | Evilginx2 |
Cult of Cornholio | Solenya |
Black Hills Information Security | CredSniper |
Mandiant | ReelPhish |
Piotr Duszynski | Modiishka |
Description | Author | Link |
---|---|---|
Automate the security assessment of Microsoft Office 365 environments | Soteria Security | 365Inspect |
A set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise and Azure investigations | ANSSI-FR | DFIR-O365RC |
Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments | CrowdStrike | CrowdStrike Reporting Tool for Azure (CRT) |
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020 | CISA | Aviary/SPARROW |
The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure. | T0pCyber | Hawk |
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. | Mandiant | Mandiant AzureAD Investigator |
This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API. | Glen Scales | O365 InvestigationTooling |
MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s) | PwC IR | MIA-MailItemsAccessed |
This script makes it possible to extract log data out of an Office365 environment. | JoeyRentenaar | Office 365 Extractor |
Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis. | Fernando Tomlinson | Invoke-AZExplorer |
This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest. | Ian Day | o365AuditParser |
DART AzureAD IR Powershell Module | Microsoft DART | AzureADIncidentResponse |
Magnet AXIOM Cloud | Magnet Forensics | Magnet AXIOM Cloud |
Metaspike Forensic Email Collector | Metaspike | Metaspike Forensic Email Collector |
Metaspike Forensic Email Intelligence | Metaspike | Metaspike Forensic Email Intelligence |
This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment. | Invictus IR | Blue-team-app-Office-365-and-Azure |
Script to retrieve information via O365 and AzureAD with a valid cred | nyxgeek | o365recon |
A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes. | Darkquasar | AzureHunter |
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. | Phil Hagen at SANS | SOF-ELK |
A collection of scripts for finding threats in Office365 | Martin Rothe | Py365 |
Parsing the O365 Unified Audit Log with Python | Koen Van Impe | O365-python-parse |
Identifying phishing page toolkits | Brian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick Nikiforakis | Phoca |
An Open Source PowerShell O365 Business Email Compromise Investigation Tool | intrepidtechie | KITT-O365-Tool |
Tooling for assessing an Azure AD tenant state and configuration | Microsoft | Microsoft Azure AD Assessment |
ROADtools is a framework to interact with Azure AD | Dirk-jan | ROADtools |
Automated Audit Log Forensic Analysis for Google Workspace | Invictus IR | ALFA |
Tool aids hunting and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments | CISA | Untitled Goose |
PowerShell module to collect logs and rules from M365 | Invictus IR | Welcome 👋 Microsoft Extractor Suite |
A fork of the Hawk PowerShell module which adds additional data-gathing features and removes deprecated modules and commands. | Syne0 | Osprey |
Author | Link |
---|---|
CISA | ScubaGear M365 Secure Configuration Baseline Assessment Tool |
CISA | ScubaGoggles GWS Secure Configuration Baseline Assessment Tool |
Gerenios | AADInternals |
Author/s | Link |
---|---|
SANS | FOR509: Enterprise Cloud Forensics and Incident Response |
Xintra | Attacking and Defending Azure & M365 |
Invictus Incident Response | Incident Response in the Microsoft Cloud training |