-
Notifications
You must be signed in to change notification settings - Fork 18
Remediate Breached Account
With the increased frequency of phishing attacks, organisations are dealing with more and more cases of account breached due to credential theft. Traditionally, resetting the users password was sufficient enough to block a users access out of a system. With Office 365, there are several integration points that need to be considered.
Potential hackers will use multiple methods to extend their access, post remediation. These methods may not be effected by password resets, and need to be manually reset.
The Remediate Breached Account script performs the following actions to terminate a users access
- Extracts Forensics information, for further analysis post remediation
- Resets the user password (if non-federated account)
- Revokes refresh tokens, forcing user to re-logon
- Iterates through mobile devices, showing last logon. Allowing Security Officers to selectively block, wipe, or allow
- Enforces Multifactor Authentication
- Enables Auditing on the Mailbox, if Auditing is not enabled
- Removes Anonymous Calendar Sharing
- Removes Delegate access off mailbox
- Removes Forwarding of email
Due to the different integration points which are touched as part of remediation, there are multiple pre-requisite PowerShell plug-ins/connections which must be present on your system for the remediation script.
- Azure AD PowerShell V1 - Required for MFA controls, which are not present in V2.
- Azure AD PowerShell V2
- Exchange Online Remote PowerShell
Installation instructions below are for Windows 10 devices, or devices with PowerShell v5. However, there is no requirement for PowerShell Version 5/Windows 10.
- Load a PowerShell Prompt as Administrator
- Run the following command
Install-Module MSOnline -Force
Install-Module AzureADPreview -ForceThe script requires you to be pre-connected to all services. There is no logic in the script to do this for you. However, the following commands will connect you to all three PowerShell Modules
$Credential = Get-Credential
Import-PSSession (New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $Credential -Authentication Basic -AllowRedirection)
Connect-MsolService -Credential $Credential
Connect-AzureAD -Credential $Credential
By default, running the script will perform all actions.
Running the Remediation
.\Remediate-BreachedAccount.ps1 -UPN hacked@account.comYou can use different switches to disable specific actions, for instance, in the example where your organisation does not have Multifactor Authentication licenses, you may opt to not enable multifactor authentication with
Running the Remediation - Without MFA
.\Remediate-BreachedAccount.ps1 -UPN hacked@account.com -NoMFAMultiple actions can be disabled using different switches, for instance, to disable password reset
Running the Remediation - Without MFA or Password Reset
.\Remediate-BreachedAccount.ps1 -UPN hacked@account.com -NoMFA -NoPasswordResetThe following switches allow you to customize the behaviour of the script
- NoForensics disabling forensic dumping of information
- NoAudit disables the enablement of auditing on the mailbox
- NoPasswordReset disables reset of password. This is automatically disabled in the event the users domain is federated.
- NoMFA disables the enablement of Multifactor Authentication for the user. This is useful for licensing reasons.
- NoDisableForwardingRules disables the removal of rules that forward email
- NoRevokeRefreshToken disables the removal of refresh tokens - strongly not recommended
- NoRemoveCalendarPublishing disables the removal of anonymous ICS calendar sharing
- NoRemoveDelegates disables the removal of mailbox delegates
- NoRemoveMailboxForwarding disables flags on the mailbox that forward email
- NoDisableMobileDevices disables prompting for Wipe/Block/Allow for ActiveSync devices