Additional Microsoft Cloud Data Sets You May Not Be Looking At But Probably Should 

For organizations using Microsoft Entra ID (the artist formerly known as Azure Active Directory) and O365, it’s fairly well understood that a set of default logs are readily available for use, no matter what log management tooling an organization is using. However, this standard logging has its limits. This past fall, the team at Black Hills Information Security released a post exploitation kit called GraphRunner. This tool is focused on interacting with the Microsoft Graph API, which is the backbone that services Entra ID, O365 and many other services in the Microsoft cloud. The release of GraphRunner and future tools like it streamlines a number of activities that an adversary would perform after gaining access, making it simpler for anyone to use. While GraphRunner is a post exploitation toolkit, there are authentication functions that highlight how adversaries could use the OAuth authorization code flow to their advantage. As a defender, this presents a set of challenges. Less sophisticated adversaries have a lower barrier to entry once they have gained access to the Graph API than they did before. It also highlights that the standard logging may not be sufficient to gain visibility into actions like the refreshing of tokens or other activities that a tool like GraphRunner provides. This talk is designed to provide insight into additional data sets that Microsoft cloud users have access to but may not be as widely deployed. These additional data sets can provide defenders additional insight, detect suspicious activity and can serve as a hunting ground when confronted with an adversary using techniques like those found in GraphRunner. Because GraphRunner contains numerous modules and is written in PowerShell, an adversary can customize it to their own needs. While we won’t be able to cover all possible permutations, our goal is to identify data sets and events that can assist defenders while using GraphRunner as a representative of the kinds of methods that adversaries might use. Attendees will come away from this talk with: A greater understanding of GraphRunner and its capabilities Awareness of the logging available for the Graph API beyond the standard logging Ideas around how detections and hunts can be designed to identify GraphRunner activity.
SANS DFIR Summit 2024
Gaining Better Visibility on a Cloudy Day: Additional Microsoft Cloud Data Sets You May Not Be Looking At But Probably Should
Speaker: John Stoner, Security Strategist, Google Cloud
View upcoming Summits: www.sans.org/u/DuS