The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a PowerShell-based tool for detecting unusual and potentially malicious activity in Azure/Office 365 environments. The tool can be downloaded free of charge and used by incident response teams to identify the identity- and authentication-based attacks that have been observed in multiple sectors in the wake of the SolarWinds breach.
The CISA tool was created by its Cloud Forensics team and can be used to narrow down large sets of investigation modules and telemetry to create a narrow view of activity that will help incident response teams identify attacks on federated identity sources and applications.
The tool – named Sparrow.ps1 – checks and installs the required PowerShell modules on the analysis machine and performs a series of searches and checks of unified Azure/Microsoft 365 audit logs for indicators of compromise. The tool searches for modifications to domains, credentials, Azure service principals and Microsoft Graph API permissions, application consents, PowerShell logins to mailboxes, and other IoCs that could indicate malicious activity.
CrowdStrike Releases Azure Environment Analysis Tool
A similar detection tool has also been released by CrowdStrike following a failed attempt by hackers to access its corporate email environment using compromised Azure credentials. The attempted attack on CrowdStrike saw the hackers identify a reseller’s Azure account which was used or managing Microsoft Office licenses. The attackers attempted to enable Office 365 Read privileges to access CrowdStrike emails, but the attack failed as CrowdStrike does not use Office 365 email.
CrowdStrike analyzed its Azure environment and determined that Azure had not been compromised, but its incident response team faced several challenges as many of the steps required to investigate the Azure environment were complex, not documented, and required excessive privileges to access important information. The tool can be used to access hard-to-find permissions and configuration settings and will help organizations to secure their Azure/Office 365 environments.
The tool can be used to generate a report that lists the following information:
Exchange Online (O365):
- Federation Configuration
- Federation Trust
- Client Access Settings Configured on Mailboxes
- Mail Forwarding Rules for Remote Domains
- Mailbox SMTP Forwarding Rules
- Delegates with ‘Full Access’ Permission Granted
- Delegates with Any Permissions Granted
- Delegates with ‘Send As’ or ‘SendOnBehalf’ Permissions
- Exchange Online PowerShell Enabled Users
- Users with ‘Audit Bypass’ Enabled
- Mailboxes Hidden from the Global Address List (GAL)
Azure AD:
- Service Principal Objects with KeyCredentials
- O365 Admin Groups Report
- Delegated Permissions & Application Permissions
