#############################
免责声明:本文仅作收藏学习之用,亦希望大家以遵守《网络安全法》相关法律为前提,切勿用于非法犯罪活动,对于恶意使用造成的损失,和本人及作者无关。
##############################
以下是每个工具的简要说明和用法。
隔离区-Download.ps1
这是一个 powershell 工具,用于使用 ExchangeOnlineManagement 模块中的 Get-QuarantineMessage 和 Export-QuarantineMessage cmdlet 从 Office365 下载隔离的电子邮件,并将它们保存在指定的文件夹中以供进一步分析。
注意:要安装 ExchangeOnlineManagmente 模块,请使用以下命令:
Install-Module -Name ExchangeOnlineManagement复制
然后使用以下命令创建远程会话:
Connect-ExchangeOnline -UserPrincipalName user@tenant.com -ShowProgress $true复制
https://github.com/b1naryxx/Threat-Intel-Tools
######################################################################################################
# #
# Name: Quarantine-Download.ps1 #
# #
# Version: 1.0 #
# #
# Description: Searches the previous X days for quarantined messages date range and download the eml #
# #
# Limitations: Search query is limited to 1,000,000 entries. #
# #
# Requires: Remote PowerShell Connection to Exchange Online #
# #
# Author: Tomas Suescun #
# #
# Usage: .Quarantine-Download.ps1 -Days 30 -OutputDir C:QuarantineFiles #
# #
# #
# Disclaimer: This script is provided AS IS without any support. Please test in a lab environment #
# prior to production use. #
# #
######################################################################################################
#Use this script after creating a new Exchange Online Management session:# Import-Module ExchangeOnlineManagement
# Connect-ExchangeOnline -UserPrincipalName username@tenant.com -ShowProgress $true# To-do: - Add asyncronous jobs to speed the process
# - Handle different encodings
# - Add params to handle custom dates to workaround 1 millon cap<# .PARAMETER Days
Number of days back to search.
.PARAMETER TypeQuarantine
Filter by quarantine type. Can be one or multiple of the following values separeted by commas: Bulk,HighConfPhish,Malware,Phish,Spam,SPOMalware,TransportRule.
If none is specified, all will be selected.
.PARAMETER OutputDir
Full path of the output directory to store the eml files.
.PARAMETER Direction
Filter by direction of the emails, can be Inbound or Outbound. If not defined both are selected.#>Param(
[Parameter(Mandatory=$True)]
[int]$Days,
[Parameter(Mandatory=$False)]
$TypeQuarantine,
[Parameter(Mandatory=$True)]
[string]$OutputDir,
[Parameter(Mandatory=$False)]
$Direction )[DateTime]$DateEnd = Get-Date -format g[DateTime]$DateStart = $DateEnd.AddDays($Days * -1)$FoundCount = 0For($i = 1; $i -le 1000; $i++) # Maximum allowed pages is 1000{
$Command = 'Get-QuarantineMessage -PageSize 1000 -Page $i -StartReceivedDate $DateStart -EndReceivedDate $DateEnd '
if ($PSBoundParameters.ContainsKey('TypeQuarantine') = $True){
$Command += '-QuarantineTypes $TypeQuarantine '
}
if ($PSBoundParameters.ContainsKey('Direction') = $True){
$Command += '-Direction $Direction '
}
$Messages = Invoke-Expression $Command If($Messages.count -gt 0)
{
Foreach ($Message in $Messages) #Download messages using Export-QuarantineMessage {
#Progress information
$Status = $Messages[-1].ReceivedTime.ToString("MM/dd/yyyy HH:mm") + " - " + $Messages[0].ReceivedTime.ToString("MM/dd/yyyy HH:mm") + " [" + ("{0:N0}" -f ($i*1000)) + " Searched | " + $FoundCount + " Donwloaded]"
Write-Progress -activity "Checking Messages (Up to 1 Million)..." -status $Status
#Export message to file
$e = Export-QuarantineMessage -Identity $Message.Identity
if ($e.BodyEncoding -eq "Base64")
{
$bytes = [Convert]::FromBase64String($e.eml)
[IO.File]::WriteAllBytes($OutputDir+""+$FoundCount+".eml", $bytes)
}
else
{
Write-Host "Message with Identity: "+$e.Identity+" found with a different bodyEncoding, unable to handle it"
}
$FoundCount += 1
}
}
Else {
Break }} Write-Host $FoundCount "Entries Found & Logged In"原文始发于微信公众号(菜鸟小新):收集用于收集威胁情报信息的工具
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论