Networking
- Networking
Windows
Linux
Enterprise Architecture
Mac
- Forensics
  - Page 3
Attacker Information
IR Playbook
- Activity from Unmanaged Host
- Recommendations
Reverse Engineering
- Python - Pyinstaller

Powered by GitBook

On this page

Enterprise Architecture

The Cloud

Azure

Attacking Azure

Initial Access

Password Spraying OWA

Outlook Web Access (OWA)

PreviousPassword Spraying M365 NextOAuth 2.0 Abuse

Last updated 1 year ago

Attack

OWA is the web-based email client that's setup with Exchange Server or Exchange Online

URL Location of OWA:
- https://<exchangeIP/owa
Active Directory GPO settings define lockout rules (default - 0 meaning no lockouts)
Attacker will not know the lockout rule without access to GPO, so be careful with password spraying.

Detect

Cloud

Log Sources for Detection:

Exchange Mailbox Audit logs (not enable by default).
Security.evtx (logon events correlating to OWA)
HTTPProxy OWA logs
- Ensure X-Forward header is enabled to obtain TA IP address.
IIS Access logs
- Ensure X-Forward header is enabled.

Exchange Mailbox Audit logs:

Can show all Exchange actions on mailboxes, including sign-ins.
Auditing needs to be enabled per user.

IIS Access Logs

C:\Inetpub\logs\logfiles\*
Response code will always be 302
FBA, true shows successful request.
FBA, false shows failed request.
Does not show the username unless it was authenticated

HTTPProxy OWA logs

C:\Windows\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\OWA

Security.evtx

Event IDs
- 4624 successful logon
- 4625 failed logon
process name w3wp.exe for OWA web service.

Detection Methods

High number of authentication events in short time period
Alphabetical order
Incorrect usernames
Spike in account lockouts
Look for use of Azure Active Directory PowerShell (not common and sign of malicious activity if the user is not an admin)

On-Prem:

Event ID 4740 is generated on domain controllers, Windows servers, and workstations every time an account gets locked out.
Event ID 4767 is generated every time an account is unlocked
- These events will need to be collected from every DC and client.

Monitoring

Mitigate

Enable MFA on all accounts.
Enable Exchange audit logging on all accounts.
Ensure HTTP proxy logs and IIS logs are have x-forwarded-for and are being sent to a SIEM.
Lockout policy enabled in GPO.
- 7-10 is a good failed login before lockout policy.

If you have high-value domain or local accounts (for example, domain administrator accounts) for which you need to monitor every lockout, monitor all events with the “Account That Was Locked Out \Security ID” values that correspond to the accounts.

Attack
Detect
Cloud
Log Sources for Detection:
Detection Methods
On-Prem:
Mitigate

#PowerShell enable mailbox audit logs
Get-Mailbox

Set-Mailbox -Identity "USER" -AuditEnabled $true
Get-Mailbox | select UserPrincipalName, auditenabled, AuditDelegate, AuditAdmin

Manage mailbox auditingMicrosoftLearn

4740(S) A user account was locked out. - Windows SecurityMicrosoftLearn

Windows event ID 4740 - A user account was locked out | ADAudit Plus.

Account Lockout Event ID: Find the Source of Account LockoutsActive Directory Pro