Home

Awesome

Awesome-BEC

Repository of attack and defensive information for Business Email Compromise investigations

Office365/AzureAD

Attack/Defend Research

AuthorLink
Lina LauBackdoor Office 365 and Active Directory - Golden SAML
Lina LauOffice365 Attacks: Bypassing MFA, Achieving Persistence and More - Part I
Lina LauAttacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II
Mike Felch and Steve BoroshSocially Acceptable Methods to Walk in the Front Door
MandiantRemediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
Andy Robbins at SpecterOpsAzure Privilege Escalation via Service Principal Abuse
Emilian Cebuc & Christian Philipov at F-SecureHas anyone seen the principal?
nyxgeek at TrustedSecCreating A Malicious Azure AD Oauth2 Application
Lina LauHow to Backdoor Azure Applications and Abuse Service Principals
Lina LauHow to Detect Azure Active Directory Backdoors: Identity Federation
Doug Bienstock at MandiantPwnAuth
Steve Borosh at Black Hills Information SecucirtySpoofing Microsoft 365 Like It’s 1995
AvertiumMITM Attacks - Evilproxy and Evilginx
Aon Cyber LabsBypassing MFA: A Forensic Look At Evilginx2 Phishing Kit
Sofia MarinIncident Response Series: Chapter #1 Phishing and cookie stolen with Evilginx.
Sofia MarinIncident Response Series: Chapter #3 The Impact and Subscription Theft as Exfiltration

Investigation Research

AuthorLink
Devon Ackerman (SANS DFIR Summit 2018)A Planned Methodology for Forensically Sound IR in Office 365
Matt BromileyBusiness Email Compromise; Office 365 Making Sense of All the Noise
PWC IRBusiness Email Compromise Guide
Korstiann Stam (SANS DFIR Summit 2021)A Holistic Approach to Defending Business Email Compromise (BEC) Attacks
M365 InternalsEverything About Service Principals, Applications, And API Permissions
M365 InternalsWhat I Have Learned From Doing A Year Of Cloud Forensics In Azure AD
M365 InternalsIncident Response In A Microsoft Cloud Environment
M365 InternalsIncident Response Series: Reviewing Data In Azure AD For Investigation
M365 InternalsIncident Response Series: Collecting And Analyzing Logs In Azure Ad
MicrosoftHow automated investigation and response works in Microsoft Defender for Office 365
MicrosoftIncident Response playbooks
Brendan MccreeshMatching the O365 MachineID to a computer’s MachineGUID
BushidoTokenAbused legitimate services
Dave Herrald and Ryan Kovar (SANS CTI Summit 2019)How to Use and Create Threat Intelligence in an Office 365 World
Mangatas TondangKnocking on Clouds Door: Threat Hunting Powered by Azure AD Reports and Azula
Mathieu SaulnierIRP Phishing
CrypsisSecuring O365 with PowerShell
AonMicrosoft 365: Identifying Mailbox Access
Will OramResponding to sophisticated attacks on Microsoft 365 and Azure AD
Frankie Li, Ken Ma and Eric Leung at Dragon Advance Tech ConsultingMicrosoft 365 Forensics Playbook
Christopher Romano and Vaishnav Murthy at CrowdstrikeCloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies Logging Inconsistencies in Microsoft 365
Megan Roddie at SANSEnterprise Cloud Forensics & Incident Response Poster
Thirumalai Natarajan Muthiah & Anurag Khanna (SANS DFIR Summit 2022)Threat Hunting in Microsoft 365 Environment
Josh Lemon & Megan Roddie (SANS DFIR Summit 2022)DFIR Evidence Collection and Preservation for the Cloud
MicrosoftVerify first-party Microsoft applications in sign-in reports
Douglas Bienstock at MandiantYou Can’t Audit Me: APT29 Continues Targeting Microsoft 365
Lina LauHow to Detect OAuth Access Token Theft in Azure
Michel De Crevoisier at Red CanaryForward thinking: How adversaries abuse Office 365 email rules
Emily Parrish at MicrosoftForensic artifacts in Office 365 and where to find them
Justin Schoenfeld and Zach Diehl at Red CanaryCloud coverage: Detecting an email payroll diversion attack
CrowdStrikeEarly Bird Catches the Wormhole: Observations from the StellarParticle Campaign
AonSCL -1: The Dangerous Side Of Safe Senders
Jon HencinskiSeven ways to spot a business email compromise in Office 365
Emily Parrish at MicrosoftGood UAL Hunting
Invictus Incident ResponeMastering Email Forwarding Rules in Microsoft 365
Microsoft Threat IntelligenceDEV-1101 enables high-volume AiTM campaigns with open-source phishing kit
Red CanaryInvestigating legacy authentication: The curious case of "BAV2ROPC"
Dray Agha at HuntressThreat Hunting for Business Email Compromise Through User Agents
Fabian BaderEntraID-ErrorCodes
Patterson Cake at Black Hills Information SecurityWrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3)
Patterson Cake at Black Hills Information SecurityWrangling the M365 UAL with PowerShell and SOF-ELK (Part 2 of 3)
MicrosoftNew Microsoft Incident Response guides help security teams analyze suspicious activity
Mauricio Velazco at SplunkHunting M365 Invaders: Blue Team's Guide to Initial Access Vectors
HuntressTime Travelers Busted: How to Detect Impossible Travel

Secure configuration guidance

AuthorLink
NCSC IrelandOffice 365 Secure Configuration Framework
CISAMicrosoft Office 365 Security Recommendations

Datasets

DescriptionAuthorLink
A dataset containing Office 365 Unified Audit Logs for security research and detection.Invictus IRO365 Dataset
Simulated activity within the Microsoft 365 platform exported using Microsoft Extractor Suiteblueteam0psdet-eng-samples

Google Workspace

ATT&CK Google Workspace

Investigation Research

DescriptionAuthorLink
Megan Roddie (SANS DFIR Summit 2021)Automating Google Workspace Incident Response
Megan Roddie (BSides SATX)GSuite Digital Forensics and Incident Response
Splunk Threat Research TeamInvestigating GSuite Phishing Attacks with Splunk
Arman Gungor at MetaspikeInvestigating Message Read Status in Gmail & Google Workspace
Arman Gungor at MetaspikeGmail History Records in Forensic Email Investigations
Arman Gungor at MetaspikeGoogle Takeout and Vault in Email Forensics
Megan Roddie at SANSPrevent, Detect, Respond An Intro to Google Workspace Security and Incident Response
Korstiaan Stam (SANS DFIR Summit 2022)Detecting Malicious Actors in Google Workspace
Invictus IRAutomated Forensic analysis of Google Workspace

Datasets

DescriptionAuthorLink
A dataset containing Google Workspace Logs for security research and detection.Invictus Incident ResponseGWS Dataset

Tools

Adversary Emulation Tools

AuthorLink
MDSeco365-attack-toolkit
Daniel ChronlundMicrosoft 365 Data Exfiltration – Attack and Defend

Phishing Toolkits

AuthorLink
Kuba GretzkyEvilginx2
Cult of CornholioSolenya
Black Hills Information SecurityCredSniper
MandiantReelPhish
Piotr DuszynskiModiishka

Investigation Tools

DescriptionAuthorLink
Automate the security assessment of Microsoft Office 365 environmentsSoteria Security365Inspect
A set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise and Azure investigationsANSSI-FRDFIR-O365RC
Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environmentsCrowdStrikeCrowdStrike Reporting Tool for Azure (CRT)
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020CISAAviary/SPARROW
The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure.T0pCyberHawk
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity.MandiantMandiant AzureAD Investigator
This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API.Glen ScalesO365 InvestigationTooling
MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s)PwC IRMIA-MailItemsAccessed
This script makes it possible to extract log data out of an Office365 environment.JoeyRentenaarOffice 365 Extractor
Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis.Fernando TomlinsonInvoke-AZExplorer
This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest.Ian Dayo365AuditParser
DART AzureAD IR Powershell ModuleMicrosoft DARTAzureADIncidentResponse
Magnet AXIOM CloudMagnet ForensicsMagnet AXIOM Cloud
Metaspike Forensic Email CollectorMetaspikeMetaspike Forensic Email Collector
Metaspike Forensic Email IntelligenceMetaspikeMetaspike Forensic Email Intelligence
This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment.Invictus IRBlue-team-app-Office-365-and-Azure
Script to retrieve information via O365 and AzureAD with a valid crednyxgeeko365recon
A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes.DarkquasarAzureHunter
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel.Phil Hagen at SANSSOF-ELK
A collection of scripts for finding threats in Office365Martin RothePy365
Parsing the O365 Unified Audit Log with PythonKoen Van ImpeO365-python-parse
Identifying phishing page toolkitsBrian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick NikiforakisPhoca
An Open Source PowerShell O365 Business Email Compromise Investigation ToolintrepidtechieKITT-O365-Tool
Tooling for assessing an Azure AD tenant state and configurationMicrosoftMicrosoft Azure AD Assessment
ROADtools is a framework to interact with Azure ADDirk-janROADtools
Automated Audit Log Forensic Analysis for Google WorkspaceInvictus IRALFA
Tool aids hunting and Incident Response in Azure, Azure Active Directory, and Microsoft 365 EnvironmentsCISAUntitled Goose
PowerShell module to collect logs and rules from M365Invictus IRWelcome 👋 Microsoft Extractor Suite
A fork of the Hawk PowerShell module which adds additional data-gathing features and removes deprecated modules and commands.Syne0Osprey

Assessment Tools

AuthorLink
CISAScubaGear M365 Secure Configuration Baseline Assessment Tool
CISAScubaGoggles GWS Secure Configuration Baseline Assessment Tool
GereniosAADInternals

Training

Author/sLink
SANSFOR509: Enterprise Cloud Forensics and Incident Response
XintraAttacking and Defending Azure & M365
Invictus Incident ResponseIncident Response in the Microsoft Cloud training