Microsoft 365 Threat Hunting Tool

There are many tools and methods to conduct cyber threat hunting in a Microsoft 365 environment, but sometimes you just need a way to get some useful data that you can analyze quickly to answer that age old question “have we been hacked?”.

In my opinion, Microsoft doesn’t make it easy to answer this question (at least not without making you buy some extras). So as a follow-up to a previous post, I decided to write a simple script to help you answer the question yourself.

Don’t expect any bells or whistles, this script is meant to be a proof-of-concept related to my previous statement that a tool “doesn’t have to be pretty it just has to be pretty useful“.

One of the most useful features of this tool is that it collects up to the last 50,000 records of login data (success and failure).

Microsoft only allows you to collect 5,000 at a time unless you follow a somewhat convoluted process…this script does all the convoluting so you don’t have to.

It also looks up information about the source IP addresses and extracts some of the most important data out of Microsoft’s AuditData property so you can actually use it.

All you have to do is execute the script, and you should end up with a handful of files in the current directory that have all the info you need to get started hunting.

Here are some examples of the type of data the script collects:

User login data (successful and failed logins)

The key here is to look for patterns and deviations, notice anything suspicious?

Mailbox rules

BEC threat actors often use these to hide communication

Mailbox permissions

It’s always good to know if someone has permission on a mailbox besides their own

Forwarding Rules

Sometimes a cyber threat actor will use this for espionage / maintaining access

MFA Status

Good to know if you find suspicious login activity

The script can be downloaded here: https://github.com/5shield/m365cth

That’s it for now, good luck, and happy hunting!