forked from OfficeDev/O365-InvestigationTooling
-
Notifications
You must be signed in to change notification settings - Fork 1
/
RemediateBreachedAccount.ps1
186 lines (140 loc) · 9.12 KB
/
RemediateBreachedAccount.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
#This script will allow you to execute a recommended set of steps to fully re-secure and remediate a known breached account in Office 365.
#It peroms the following actions:
# Reset password (which kills the session).
# Remove mailbox delegates.
# Remove mailforwarding rules to external domains.
# Remove global mailforwarding property on mailbox.
# Enable MFA on the user's account.
# Set password complexity on the account to be high.
# Enable mailbox auditing.
# Produce Audit Log for the admin to review.
#$upn = "[email protected]"
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True,Position=0)][ValidateNotNullOrEmpty()]
[string]$upn
#[Parameter(Mandatory=$False)]
# [date]$startDate,
#[Parameter(Mandatory=$False)]
# [date]$endDate,
#[Parameter(Mandatory=$False)]
# [string]$fromFile
)
$userName = $upn -split "@"
$transcriptpath = ".\" + $userName[0] + "RemediationTranscript" + (Get-Date).ToString('yyyy-MM-dd') + ".txt"
Start-Transcript -Path $transcriptpath
Write-Output "You are about to remediate this account: $upn"
Write-Output "Let's get a credential and get connected to Office 365."
#Import the right module to talk with AAD
import-module MSOnline
#First, let's get us a cred!
$adminCredential = Get-Credential
Write-Output "Connecting to Exchange Online Remote Powershell Service"
$ExoSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $adminCredential -Authentication Basic -AllowRedirection
if ($null -ne $ExoSession) {
Import-PSSession $ExoSession
} else {
Write-Output " No EXO service set up for this account"
}
Write-Output "Connecting to EOP Powershell Service"
$EopSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $adminCredential -Authentication Basic -AllowRedirection
if ($null -ne $EopSession) {
Import-PSSession $EopSession -AllowClobber
} else {
Write-Output " No EOP service set up for this account"
}
#This connects to Azure Active Directory
Connect-MsolService -Credential $adminCredential
#Load "System.Web" assembly in PowerShell console
[Reflection.Assembly]::LoadWithPartialName("System.Web")
function Reset-Password($upn) {
$newPassword = ([System.Web.Security.Membership]::GeneratePassword(16,2))
Set-MsolUserPassword –UserPrincipalName $upn –NewPassword $newPassword -ForceChangePassword $True
Write-Output "We've set the password for the account $upn to be $newPassword. Make sure you record this and share with the user, or be ready to reset the password again. They will have to reset their password on the next logon."
Set-MsolUser -UserPrincipalName $upn -StrongPasswordRequired $True
Write-Output "We've also set this user's account to require a strong password."
}
function Enable-MailboxAuditing($upn) {
Write-Output "##############################################################"
Write-Output "We are going to enable mailbox auditing for this user to ensure we can monitor activity going forward."
#Let's enable auditing for the mailbox in question.
Set-Mailbox $upn -AuditEnabled $true -AuditLogAgeLimit 365
Write-Output "##############################################################"
Write-Output "Done! Here's the current configuration for auditing."
#Double-Check It!
Get-Mailbox -Identity $upn | Select Name, AuditEnabled, AuditLogAgeLimit
}
function Remove-MailboxDelegates($upn) {
Write-Output "##############################################################"
Write-Output "Removing Mailbox Delegate Permissions for the affected user $upn."
$mailboxDelegates = Get-MailboxPermission -Identity $upn | Where-Object {($_.IsInherited -ne "True") -and ($_.User -notlike "*SELF*")}
Get-MailboxPermission -Identity $upn | Where-Object {($_.IsInherited -ne "True") -and ($_.User -notlike "*SELF*")}
foreach ($delegate in $mailboxDelegates)
{
Remove-MailboxPermission -Identity $upn -User $delegate.User -AccessRights $delegate.AccessRights -InheritanceType All -Confirm:$false
}
#Possibly add the admin running the script to the user's mailbox?
#Add-MailboxPermission -Identity $upn -User $adminCredential.UserName -AccessRights FullAccess -InheritanceType All
#TO DO: Need to figure out how to check delegate permissions set on a all the folders for the user, then remove them. Looks to be a user-only cmdlet permission set
#$mailboxFolders = Get-MailboxFolder -Identity admin -Recurse
#foreach ($folder in $mailboxFolders)
#{
# $thisUpnFolder = $upn + ":\" + $folder.FolderPath
# Get-MailboxFolderPermission -Identity $thisUpnFolder | Where-Object {($_.AccessRights -ne "None")}
#Remove-MailboxFolderPermission: https://technet.microsoft.com/en-us/library/dd351181(v=exchg.160).aspx
#}
}
function Disable-MailforwardingRulesToExternalDomains($upn) {
Write-Output "##############################################################"
Write-Output "Disabling mailforwarding rules to external domains for the affected user $upn."
Write-Output "We found the following rules that forward or redirect mail to other accounts: "
Get-InboxRule -Mailbox $upn | Select Name, Description, Enabled, Priority, ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage, SendTextMessageNotificationTo | Where-Object {(($_.Enabled -eq $true) -and (($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.RedirectTo -ne $null) -or ($_.SendTextMessageNotificationTo -ne $null)))} | Format-Table
Get-InboxRule -Mailbox $upn | Where-Object {(($_.Enabled -eq $true) -and (($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.RedirectTo -ne $null) -or ($_.SendTextMessageNotificationTo -ne $null)))} | Disable-InboxRule -Confirm:$false
#Clean-up disabled rules
#Get-InboxRule -Mailbox $upn | Where-Object {((($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.RedirectTo -ne $null) -or ($_.SendTextMessageNotificationTo -ne $null)))} | Remove-InboxRule -Confirm:$false
Write-Output "##############################################################"
Write-Output "Aight. We've disabled all the rules that move your email to other mailboxes. "
}
function Remove-MailboxForwarding($upn) {
Write-Output "##############################################################"
Write-Output "Removing Mailbox Forwarding configurations for the affected user $upn. Current configuration is:"
Get-Mailbox -Identity $upn | Select Name, DeliverToMailboxAndForward, ForwardingSmtpAddress
Set-Mailbox -Identity $upn -DeliverToMailboxAndForward $false -ForwardingSmtpAddress $null
Write-Output "##############################################################"
Write-Output "Mailbox forwarding removal completed. Current configuration is:"
Get-Mailbox -Identity $upn | Select Name, DeliverToMailboxAndForward, ForwardingSmtpAddress
}
function Enable-MFA ($upn) {
#Create the StrongAuthenticationRequirement object and insert required settings
$mf = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mf.RelyingParty = "*"
$mfa = @($mf)
#Enable MFA for a user
Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements $mfa
Write-Output "##############################################################"
Write-Output "Aight. We've enabled MFA required for $upn. Let them know they'll need to setup their additional auth token the next time they logon."
#Find all MFA enabled users
Get-MsolUser -UserPrincipalName $upn | select UserPrincipalName,StrongAuthenticationMethods,StrongAuthenticationRequirements
}
function Get-AuditLog ($upn) {
Write-Output "##############################################################"
Write-Output "We've remediated the account, but there might be things we missed. Review the audit transcript for this user to be super-sure you've got everything."
$userName = $upn -split "@"
$auditLogPath = ".\" + $userName[0] + "AuditLog" + (Get-Date).ToString('yyyy-MM-dd') + ".csv"
$startDate = (Get-Date).AddDays(-7).ToString('MM/dd/yyyy')
$endDate = (Get-Date).ToString('MM/dd/yyyy')
$results = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -UserIds $upn
$results | Export-Csv -Path $auditLogPath
Write-Output "##############################################################"
Write-Output "We've written the log to $auditLogPath. You can also review the activity below."
Write-Output "##############################################################"
$results | Format-Table
}
Reset-Password $upn
Enable-MailboxAuditing $upn
Remove-MailboxDelegates $upn
Disable-MailforwardingRulesToExternalDomains $upn
Remove-MailboxForwarding $upn
Enable-MFA $upn
Get-AuditLog $upn
Stop-Transcript