后门和面包屑.pdf

1、Stroz Friedberg Digital Forensics and Incident ResponseBackdoors&Breadcrumbs:How threat actors persist in your Microsoft 365 Thursday,July 24,2025Stroz FriedbergStroz Friedberg Digital Forensics and Incident ResponseGet-User-Identity“Federico Cedolini+Federico Cedolini:+Senior Consultant Toronto,ON.

2、Canada+Stroz Friedberg Digital Forensics and Incident Response+Cyber Security interests:+Cloud Forensics,Microsoft 365,Malware Analysis,Security Automation+Certs:GCFE,GCFR,GREM,GMLE+Other activities:Hiking,SailingStroz Friedberg Digital Forensics and Incident ResponseInvestigation Objectives+Determi

3、ne initial entry+Determine data access and/or exfiltration+Determine persistence mechanisms+Determine the scope of the incidentStroz Friedberg Digital Forensics and Incident ResponseForwarding Settings and Inbox RulesApp PasswordsSelf-Service Password RestOAuth AppsDomain FederationBeyond Your Tenan

4、tTechniques Stroz Friedberg.All rights reserved.Questions?Forwarding Settings and Inbox RulesStroz Friedberg Digital Forensics and Incident ResponseStroz Friedberg Digital Forensics and Incident ResponseGet-InboxRule+Very common technique+Feature available directly in the mailbox+Allows Threat Actor

5、s to keep access to your data after losing direct access to the account+Can be configure to forward emails to more than one email addressAll screenshots are from Stroz Friedberg Microsoft 365 test environment,no client data/information.Stroz Friedberg Digital Forensics and Incident ResponseGet-Mailb

6、ox+Feature available directly in the mailbox+Allows Threat Actors to keep access to your data after losing direct access to the accountStroz Friedberg Digital Forensics and Incident ResponseSearch-UnifiedAuditLogChanges to Inbox Rules and Forwarding Settings will trigger events that get recorded in