fatcousin
// first 10 minutes

account takeover (ATO) — quick-start

account takeover — first 10 minutes. containment before root cause. print this, check boxes, then run the primary tools.

checklist

  1. revoke all active sessions for the victim account in IdP (Okta / Entra) — do not wait for root cause.
  2. force password reset and invalidate refresh tokens.
  3. disable or reset MFA factors on the account — assume SIM or device compromise.
  4. export unified audit and sign-in logs for the victim — 30 days minimum.
  5. export mailbox rules for the victim mailbox — outlook rules.dat or admin center export.
  6. check for new OAuth app consents or enterprise app grants in the last 60 days.
  7. pull VPN auth logs for the victim username — correlate spray source IPs.
  8. if SMS MFA — open carrier ticket for SIM swap / port inquiry on the victim line.
  9. preserve the victim endpoint — do not reimage until session artifacts are captured.
  10. begin the primary tool path below.

primary tools

  1. 01okta log analyzerokta system log json · timeline · suspicious · mfa fatigue · tor/proxy · users · ips · policy · csv export · runs locally
  2. 02o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  3. 03office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  4. 04microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  5. 05mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally
  6. 06password spray & brute force detectordrop security evtx csv · analyze authentication failure patterns · detect low-and-slow password spray · high-speed brute force · credential stuffing patterns · flag attacker ips · runs locally
  7. 07credential artifact scannerdrop a memory dump · scan for plaintext credentials · NTLM hashes · OAuth tokens · API keys · session cookies · Base64 secrets · export CSV · runs locally
  8. 08sim swap artifact forensic detectordetect evidence of SIM swapping across devices, carriers, or subscriber records · runs locally

go deeper

methodology →proof · meridian-atocase type tools →
ready