Preserve Microsoft Teams Messages
Hey everyone,
I was hoping someone could point me in the right direction for preserving Microsoft Teams messages.
Would it be easiest to collect the messages as a .PST via O365 Security & Compliance center then process the .PST in Axiom / Intella? Any other recommendations for preserving / displaying the message threads?
Thanks in advance.
๐ฃhotsausce01
In terms of preserving my approach would be to export the PST from O365 as you state, generate a hash for the PST and preserve the PST and the hash.
More along the lines of analyzing the data than displaying it -
Once I have the pst I use pffexport https://manpages.ubuntu.com/manpages/xenial/man1/pffexport.1.html
to extract all the data out of the file.
pffexport creates a directory hierarchy that contains a folder for each item in the PST file. Within that folder you find a text or html file with the message, text files with metadata (like the SMTP headers and Outlook headers) and an attachments subfolder with all attachments saved in their native formats (pdf, png, docx, etc.)
I find this approach super useful for analysis. I can use tools like Grep, RipGrepAll or AgentRansack to do quick searches for patterns, or I can write simple perl or python scripts for more complicated bulk analysis (e.g. create a CSV file with the sender, date, recipient, subject and first line of message text for every email/meeting/teams message that has a jpg attachment with EXIF data matching phone model XXXXX).
๐คAdCautious851
Message Crawler can convert the .pst files to RSMF. There are two flavors of .psts: Team Channel psts and the Team DMs from the personal mailbox for each user. I am still testing Message Crawler via the trial version (just download the program from their website).
It's a bit confusing going through the data in Message Crawler, but the tool definitely does the RSMF conversion job pretty well. I am not sure if it threads conversations together. I have not reviewed the many output options, yet. I'm sure someone can answer that. Message Crawler has YouTube channel with demonstrations, as well.
๐คzero-skill-samus
๐@malwr
Hey everyone,
I was hoping someone could point me in the right direction for preserving Microsoft Teams messages.
Would it be easiest to collect the messages as a .PST via O365 Security & Compliance center then process the .PST in Axiom / Intella? Any other recommendations for preserving / displaying the message threads?
Thanks in advance.
๐ฃhotsausce01
In terms of preserving my approach would be to export the PST from O365 as you state, generate a hash for the PST and preserve the PST and the hash.
More along the lines of analyzing the data than displaying it -
Once I have the pst I use pffexport https://manpages.ubuntu.com/manpages/xenial/man1/pffexport.1.html
to extract all the data out of the file.
pffexport creates a directory hierarchy that contains a folder for each item in the PST file. Within that folder you find a text or html file with the message, text files with metadata (like the SMTP headers and Outlook headers) and an attachments subfolder with all attachments saved in their native formats (pdf, png, docx, etc.)
I find this approach super useful for analysis. I can use tools like Grep, RipGrepAll or AgentRansack to do quick searches for patterns, or I can write simple perl or python scripts for more complicated bulk analysis (e.g. create a CSV file with the sender, date, recipient, subject and first line of message text for every email/meeting/teams message that has a jpg attachment with EXIF data matching phone model XXXXX).
๐คAdCautious851
Message Crawler can convert the .pst files to RSMF. There are two flavors of .psts: Team Channel psts and the Team DMs from the personal mailbox for each user. I am still testing Message Crawler via the trial version (just download the program from their website).
It's a bit confusing going through the data in Message Crawler, but the tool definitely does the RSMF conversion job pretty well. I am not sure if it threads conversations together. I have not reviewed the many output options, yet. I'm sure someone can answer that. Message Crawler has YouTube channel with demonstrations, as well.
๐คzero-skill-samus
๐@malwr
Reddit
From the computerforensics community on Reddit
Explore this post and more from the computerforensics community
Discarded, not destroyed: Old routers reveal corporate secrets
When decommissioning their old hardware, many companies 'throw the baby out with the bathwater'
https://www.welivesecurity.com/2023/04/18/discarded-not-destroyed-old-routers-reveal-corporate-secrets/
๐@malwr
When decommissioning their old hardware, many companies 'throw the baby out with the bathwater'
https://www.welivesecurity.com/2023/04/18/discarded-not-destroyed-old-routers-reveal-corporate-secrets/
๐@malwr
Welivesecurity
Discarded, not destroyed: Old routers reveal corporate secrets
When decommissioning their old hardware, many companies 'throw the baby out with the bathwater'
Operation Jacana: Foundling hobbits in Guyana
ESET researchers discovered a cyberespionage campaign against a governmental entity in Guyana
https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/
๐@malwr
ESET researchers discovered a cyberespionage campaign against a governmental entity in Guyana
https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/
๐@malwr
Welivesecurity
Operation Jacana: Foundling hobbits in Guyana
ESET researchers uncover a cyberespionage campaign that they called Operation Jacana and that targeted a governmental entity in Guyana.
Honeypot agent for malware curation with Siphon
I made this post about a tool a created to fetch the latest samples from threat intelligence platforms.
The tool has had a major upgrade, and now allows you to generate agents to deploy on honeypots, that can monitor folders for file activity (writes, creations).
Agents have exposed API endpoints to query and download indexed samples from, and are interacted with via Mutual TLS - allowing you to interact with it just how you'd interact with other integrations. If you try it out on your infrastructure, feel free to feedback on GitHub!
https://github.com/pygrum/siphon
The 1st sample in the image above represents an example file written to disk in a folder monitored by a Windows agent.
๐ฃpygrum
๐@malwr
I made this post about a tool a created to fetch the latest samples from threat intelligence platforms.
The tool has had a major upgrade, and now allows you to generate agents to deploy on honeypots, that can monitor folders for file activity (writes, creations).
Agents have exposed API endpoints to query and download indexed samples from, and are interacted with via Mutual TLS - allowing you to interact with it just how you'd interact with other integrations. If you try it out on your infrastructure, feel free to feedback on GitHub!
https://github.com/pygrum/siphon
The 1st sample in the image above represents an example file written to disk in a folder monitored by a Windows agent.
๐ฃpygrum
๐@malwr
Reddit
From the Malware community on Reddit: A malware curation tool that allows you to query, download and investigate fresh samplesโฆ
Explore this post and more from the Malware community
Amazon Prime email scammer snatches defeat from the jaws of victory
https://www.malwarebytes.com/blog/news/2023/10/amazon-prime
๐@malwr
https://www.malwarebytes.com/blog/news/2023/10/amazon-prime
๐@malwr
Malwarebytes
Amazon Prime email scammer snatches defeat from the jaws of victory
A very convincing Amazon Prime scam landed in our mail server today and...went straight to spam. Here's why.
Major Cyber Incident: KA-SAT 9A - EuRepoC: European Repository of Cyber Incidents - Other incident names: Viasat, AcidRain
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
EuRepoC: European Repository of Cyber Incidents
Major Cyber Incident: KA-SAT 9A - EuRepoC: European Repository of Cyber Incidents
Major Cyber Incident: KA-SAT 9A Other incident names: Viasat, AcidRain 4 October 2023 Kerttunen, Mika; Schuck, Kim; Hemmelskamp, Jonas EN About KA-SAT 9A The GEO satellite broadband services of the US communications company Viasat (KA-SAT 9A network) wereโฆ
100,000 [internet exposed industrial control systems that have been identified so far](https://www.bitsight.com/blog/bitsight-identifies-nearly-100000-exposed-industrial-control-systems)
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
Bitsight
Bitsight identifies nearly 100,000 exposed industrial control systems | Bitsight
Bitsight has identified nearly 100,000 exposed industrial control systems (ICS) potentially allowing an attacker to access and control physical infrastructure.
Quishing Triage 101: How to Investigate Suspicious QR Codes in Emails
๐ฃdigicat
Tl;dr- donโt scan it with your phone. Use the tools you normally do.
You can take a screen shot of the email and put it in cyberchef for a quick result.
๐คLethargicEscapist
๐@malwr
๐ฃdigicat
Tl;dr- donโt scan it with your phone. Use the tools you normally do.
You can take a screen shot of the email and put it in cyberchef for a quick result.
๐คLethargicEscapist
๐@malwr
The Future of Open-Source Botnets and Preparedness Against Threats: Supershell Botnet - or how the CTI gained access to the infrastructure
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
SOCRadarยฎ Cyber Intelligence Inc.
Home - SOCRadarยฎ Extended Threat Intelligence
SOCRadar is an Extended Threat Intelligence (XTI) tool that is enriched with External Attack Surface Management and Digital Risk Protection.
DSA-2023-283: Security Update for Dell SmartFabric Storage Software Vulnerabilities - A remote unauthenticated attacker may exploit this vulnerability and escalate privileges up to the highest administration level.
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
Dell
DSA-2023-283: Security Update for Dell SmartFabric Storage Software Vulnerabilities | Dell UK
Dell SmartFabric Storage Software remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Global NetScaler Gateway credential harvesting campaign - attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
Security Intelligence
X-Force uncovers global NetScaler Gateway credential harvesting campaign
IBM X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials.