Malware News
12.9K subscribers
1.63K photos
7 videos
130 files
7.78K links
The latest NEWS about malwares, DFIR, hacking, security issues, thoughts and ...

Partner channel: @cveNotify

For ads: https://telega.io/c/malwr
Download Telegram
Preserve Microsoft Teams Messages
Hey everyone,

I was hoping someone could point me in the right direction for preserving Microsoft Teams messages.

Would it be easiest to collect the messages as a .PST via O365 Security & Compliance center then process the .PST in Axiom / Intella? Any other recommendations for preserving / displaying the message threads?

Thanks in advance.
๐Ÿ—ฃhotsausce01

In terms of preserving my approach would be to export the PST from O365 as you state, generate a hash for the PST and preserve the PST and the hash.


More along the lines of analyzing the data than displaying it -
Once I have the pst I use pffexport https://manpages.ubuntu.com/manpages/xenial/man1/pffexport.1.html
to extract all the data out of the file.
pffexport creates a directory hierarchy that contains a folder for each item in the PST file. Within that folder you find a text or html file with the message, text files with metadata (like the SMTP headers and Outlook headers) and an attachments subfolder with all attachments saved in their native formats (pdf, png, docx, etc.)


I find this approach super useful for analysis. I can use tools like Grep, RipGrepAll or AgentRansack to do quick searches for patterns, or I can write simple perl or python scripts for more complicated bulk analysis (e.g. create a CSV file with the sender, date, recipient, subject and first line of message text for every email/meeting/teams message that has a jpg attachment with EXIF data matching phone model XXXXX).
๐Ÿ‘คAdCautious851

Message Crawler can convert the .pst files to RSMF. There are two flavors of .psts: Team Channel psts and the Team DMs from the personal mailbox for each user. I am still testing Message Crawler via the trial version (just download the program from their website).

It's a bit confusing going through the data in Message Crawler, but the tool definitely does the RSMF conversion job pretty well. I am not sure if it threads conversations together. I have not reviewed the many output options, yet. I'm sure someone can answer that. Message Crawler has YouTube channel with demonstrations, as well.
๐Ÿ‘คzero-skill-samus


๐ŸŽ–@malwr
Honeypot agent for malware curation with Siphon
I made this post about a tool a created to fetch the latest samples from threat intelligence platforms.

The tool has had a major upgrade, and now allows you to generate agents to deploy on honeypots, that can monitor folders for file activity (writes, creations).

Agents have exposed API endpoints to query and download indexed samples from, and are interacted with via Mutual TLS - allowing you to interact with it just how you'd interact with other integrations. If you try it out on your infrastructure, feel free to feedback on GitHub!

https://github.com/pygrum/siphon


The 1st sample in the image above represents an example file written to disk in a folder monitored by a Windows agent.
๐Ÿ—ฃpygrum


๐ŸŽ–@malwr
Quishing Triage 101: How to Investigate Suspicious QR Codes in Emails
๐Ÿ—ฃdigicat

Tl;dr- donโ€™t scan it with your phone. Use the tools you normally do.

You can take a screen shot of the email and put it in cyberchef for a quick result.
๐Ÿ‘คLethargicEscapist


๐ŸŽ–@malwr