Awesome-BEC

Repository of attack and defensive information for Business Email Compromise investigations

Office365/AzureAD

Attack/Defend Research

Description Author Link
  Lina Lau Backdoor Office 365 and Active Directory - Golden SAML
  Lina Lau Office365 Attacks: Bypassing MFA, Achieving Persistence and More - Part I
  Lina Lau Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II
  Mike Felch and Steve Borosh Socially Acceptable Methods to Walk in the Front Door
  Mandiant Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
  Andy Robbins at SpecterOps Azure Privilege Escalation via Service Principal Abuse
  Emilian Cebuc & Christian Philipov at F-Secure Has anyone seen the principal?
  nyxgeek at TrustedSec Creating A Malicious Azure AD Oauth2 Application

Investigation Research

Description Author Link
  Devon Ackerman (SANS DFIR Summit 2018) A Planned Methodology for Forensically Sound IR in Office 365
  Matt Bromiley Business Email Compromise; Office 365 Making Sense of All the Noise
  PWC IR Business Email Compromise Guide
  Korstiann Stam (SANS DFIR Summit 2021) A Holistic Approach to Defending Business Email Compromise (BEC) Attacks
  M365 Internals Everything About Service Principals, Applications, And API Permissions
  M365 Internals What I Have Learned From Doing A Year Of Cloud Forensics In Azure AD
  M365 Internals Incident Response In A Microsoft Cloud Environment
  M365 Internals Incident Response Series: Reviewing Data In Azure AD For Investigation
  M365 Internals Incident Response Series: Collecting And Analyzing Logs In Azure Ad
  Microsoft How automated investigation and response works in Microsoft Defender for Office 365
  Microsoft Incident Response playbooks
  Brendan Mccreesh Matching the O365 MachineID to a computer’s MachineGUID
  BushidoToken Abused legitimate services

Datasets

Description Author Link
A dataset containing Office 365 Unified Audit Logs for security research and detection. Invictus Incident Response O365 Dataset

Google Workspace

ATT&CK Google Workspace

Investigation Research

Description Author Link
  Megan Roddie Automating Google Workspace Incident Response
  Megan Roddie GSuite Digital Forensics and Incident Response
  Splunk Threat Research Team Investigating GSuite Phishing Attacks with Splunk
  Arman Gungor at Metaspike Investigating Message Read Status in Gmail & Google Workspace
  Arman Gungor at Metaspike Gmail History Records in Forensic Email Investigations
  Arman Gungor at Metaspike Google Takeout and Vault in Email Forensics

Tools

Adversary Emulation Tools

Description Author Link
  Kuba Gretzky Evilginx2
  MDSec o365-attack-toolkit

Investigation Tools

Description Author Link    
Automate the security assessment of Microsoft Office 365 environments Soteria Security 365Inspect A set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise and Azure investigations DFIR-O365RC by ANSSI-FR
Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments CrowdStrike CrowdStrike Reporting Tool for Azure (CRT)    
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020 CISA Aviary/SPARROW    
The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure. T0pCyber Hawk    
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Mandiant Mandiant AzureAD Investigator    
This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API. Glen Scales O365 InvestigationTooling    
MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s) PwC IR MIA-MailItemsAccessed    
This script makes it possible to extract log data out of an Office365 environment. JoeyRentenaar Office 365 Extractor    
Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis. Fernando Tomlinson Invoke-AZExplorer    
This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest. Ian Day o365AuditParser    
DART AzureAD IR Powershell Module Microsoft DART AzureADIncidentResponse    
Magnet AXIOM Cloud Magnet Forensics Magnet AXIOM Cloud    
Metaspike Forensic Email Collector Metaspike Metaspike Forensic Email Collector    
This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment. Invictus IR Blue-team-app-Office-365-and-Azure    
Script to retrieve information via O365 and AzureAD with a valid cred nyxgeek o365recon    
A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes. Darkquasar AzureHunter    
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. Phil Hagen at SANS SOF-ELK    

Training

Description Author Link
  David Cowen, Pierre Lidome, Josh Lemon at SANS FOR509: Enterprise Cloud Forensics and Incident Response