microsoft office telemetry - osdfcon
TRANSCRIPT
![Page 1: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/1.jpg)
Microsoft Office TelemetryTracking Your Every Move
Sam Koffman U.S. Dept. of the Treasury / SIGTARP
_Press any key to start
![Page 2: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/2.jpg)
Blah blah blah blah blah blah Blah blah blah blah blah blah Blah blah blah blah blah blah Blah blah blah blah blah blah
#include lawyers.h_
Any reference in this presentation to any person, organization, activities, products, or services do not constitute or imply the endorsement, recommendation, or favoring of the U.S. Government, its subcomponents, or any of its employees or contractors acting on its behalf.
![Page 3: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/3.jpg)
_Scenario
Which user modified this document at specific date/time?
✓ File system metadata
✓ Document metadata / versioning
✓ Network traffic
![Page 4: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/4.jpg)
_Scenario
![Page 5: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/5.jpg)
_Down the Rabbit Hole
![Page 6: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/6.jpg)
_Office Telemetry
Compatibility Monitoring Framework
Test compatibility
Check performanceIdentify
![Page 7: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/7.jpg)
_Office Versions
StandardPro Plus365 Pro Plus
Pro Plus365 Pro Plus
Telemetry Agent Compatible
Included
![Page 8: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/8.jpg)
_??????
What does this have to do with
OSDFCon?$#!&*!!
xkcd.com
![Page 9: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/9.jpg)
_Data Collected
Document
File name File format Event Timestamp Path Size Author Title
Computer
User name Computer name Domain RAM CPU
![Page 10: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/10.jpg)
_Telemetry Process
![Page 11: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/11.jpg)
_Local Datastore
user.tbl• User info • Network
details • Machine
specs
evt.tbl• Event
codes
sln.tbl• File name/
path • File size • Author
%UserProfile%\AppData\Local\Microsoft\Office\16.0\Telemetry\
Caveats:Recently used files
5MB file size
![Page 12: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/12.jpg)
_Wait, there’s code!
![Page 13: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/13.jpg)
_Push button for evidence
![Page 14: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/14.jpg)
_SQL Database
![Page 15: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/15.jpg)
_Registry / GPO
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OSM
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\OSMUser Configuration\Policies\Administrative Templates\Microsoft Office 2016\Telemetry Dashboard
Upload to share Custom tags
ObfuscationWait / Random delay
![Page 16: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/16.jpg)
_So What?
xkcd.com
![Page 17: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/17.jpg)
_Timelines
2018-10-17T09:00:00.000Application Opened
2018-10-17T09:00:10.584Document Opened
2018-10-17T09:10:15.783Document Closed
2018-10-17T09:10:36.864Application Closed
![Page 18: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/18.jpg)
_Enterprise
Computers removed from the network
Entries removed from telemetry DB!
![Page 19: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/19.jpg)
_Cloud-Hosted SQL
![Page 20: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/20.jpg)
Malicious Code !Detected _
Malicious macros
Dynamic Data Exchange calls
Attack VectorsCustom Javascript
functions
![Page 21: Microsoft Office Telemetry - OSDFCon](https://reader034.vdocuments.us/reader034/viewer/2022050306/626f277000f7181ee04ceafa/html5/thumbnails/21.jpg)
_To Do
Parse more stuff
Improve Autopsy module
Test Office attacks
Office 365?