当前位置:首页 > 报告详情

后门和面包屑.pdf

上传人: 可*** 编号:991823 2025-12-07 46页 2.59MB

1、Stroz Friedberg Digital Forensics and Incident ResponseBackdoors&Breadcrumbs:How threat actors persist in your Microsoft 365 Thursday,July 24,2025Stroz FriedbergStroz Friedberg Digital Forensics and Incident ResponseGet-User-Identity“Federico Cedolini+Federico Cedolini:+Senior Consultant Toronto,ON.

2、Canada+Stroz Friedberg Digital Forensics and Incident Response+Cyber Security interests:+Cloud Forensics,Microsoft 365,Malware Analysis,Security Automation+Certs:GCFE,GCFR,GREM,GMLE+Other activities:Hiking,SailingStroz Friedberg Digital Forensics and Incident ResponseInvestigation Objectives+Determi

3、ne initial entry+Determine data access and/or exfiltration+Determine persistence mechanisms+Determine the scope of the incidentStroz Friedberg Digital Forensics and Incident ResponseForwarding Settings and Inbox RulesApp PasswordsSelf-Service Password RestOAuth AppsDomain FederationBeyond Your Tenan

4、tTechniques Stroz Friedberg.All rights reserved.Questions?Forwarding Settings and Inbox RulesStroz Friedberg Digital Forensics and Incident ResponseStroz Friedberg Digital Forensics and Incident ResponseGet-InboxRule+Very common technique+Feature available directly in the mailbox+Allows Threat Actor

5、s to keep access to your data after losing direct access to the account+Can be configure to forward emails to more than one email addressAll screenshots are from Stroz Friedberg Microsoft 365 test environment,no client data/information.Stroz Friedberg Digital Forensics and Incident ResponseGet-Mailb

6、ox+Feature available directly in the mailbox+Allows Threat Actors to keep access to your data after losing direct access to the accountStroz Friedberg Digital Forensics and Incident ResponseSearch-UnifiedAuditLogChanges to Inbox Rules and Forwarding Settings will trigger events that get recorded in

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据《Backdoors & Breadcrumbs:How threat actors persist in your Microsoft 365》的内容,以下是全文关键点的概括: 1. **威胁行为者的持久性策略**: - 利用转发设置和邮箱规则保持数据访问。 - 通过应用密码支持旧版应用程序。 - 利用自助服务密码重置和MFA注册。 2. **具体案例**: - 威胁行为者通过钓鱼邮件获取账户,重置密码,注册新的MFA方法,最终导致账户被禁用。 3. **预防措施**: - 限制添加凭证的权限账户。 - 实施条件访问策略。 - 禁用不必要的应用密码。 - 增加自助服务密码重置所需的MFA方法数量。 4. **域联合**: - 威胁行为者可能通过联合域绕过密码和MFA要求。 5. **第三方服务**: - 威胁行为者可能在第三方网站创建和验证账户,发送钓鱼邮件。 6. **检测与调查**: - 在调查中关注账户被利用期间收到的电子邮件,以识别第三方网站上的新账户创建。
"邮箱规则漏洞,你了解吗?" "App密码风险,如何防范?" "域联合,安全风险知多少?"
客服
商务合作
小程序
服务号
折叠