CISA released free Malicious detection Tool for Azure/M365 Environment

The Cybersecurity and Infrastructure Security Agency (CISA) has released a PowerShell-based tool that helps sight potentially compromised applications and accounts in Azure/Microsoft 365 environments.

This came when Microsoft disclosed how taken credentials and access tokens are actively getting used by threat actors to focus on Azure customers.

Azure administrators are powerfully suggested to review each of these articles to find out a lot regarding these attacks and to get a way to spot abnormal behavior in their tenants.

“CISA has created a free tool for detecting uncommon and probably malicious activity that threatens users and applications in an Azure/Microsoft O365 environment,” the USA federal agency said.

“The tool is meant to be used by incident responders and is narrowly centered on activity that’s endemic to the recent identity- and authentication-based attacks seen in multiple sectors.”

How CISA’s tool works

The PowerShell-based tool created by CISA’s Cloud Forensics team and dubbed Sparrow may be accustomed to narrow down larger sets of investigation modules and telemetry “to those specific to recent attacks on federated identity sources and applications.”

Sparrow checks the unified Azure/M365 audit log for indicators of compromise (IoCs), lists Azure AD domains, and checks Azure service principals and their Microsoft Graph API permissions to get potential malicious activity.

The full list of checks it will once launched on the analysis machine includes:

• Searches for any modifications to the domain and federation settings on a tenant’s domain
• Searches for any modifications or credential modifications to an application
• Searches for any modifications or credential modifications to a service principal
• Searches for any app role assignments to service principals, users, and groups
• Searches for any OAuth or application consents
• Searches for SAML token usage anomaly (User Authentication Value of 16457) within the Unified Audit Logs
• Searches for PowerShell logins into mailboxes
• Searches for well-known AppID for Exchange online PowerShell
• Searches for well-known AppID for PowerShell
• Searches for the AppID to check if it accessed mail things
• Searches for the AppID to check if it accessed Sharepoint or OneDrive things
• Searches for WinRM user agent string within the user logged in and user login unsuccessful operations

System Requirement

A few AzureAD/m365 permissions are required to run Sparrow.ps1, and provide read-only access to the Tenant.

• Azure Active Directory: Security Reader
• Security and Compliance Center: Compliance Administrator
• Exchange Online Admin Center: Utilize a custom group for these specific permissions: Mail Recipients, Security Group Creation and Membership, User options, View-Only Audit log, View-Only Configuration, View-Only Recipients

To check for the MailItemsAccessed Operation, your tenant organization requires an Office 365 or Microsoft 365 E5/G5 license.

Installation

The function, Check-PSModules, will check to see if the three required PowerShell modules are installed on the system and if not, it will use the default PowerShell repository on the system to reach out and install. If the modules are present but not imported, the script will also import the missing modules so that they are ready for use.

Conclusion

It is extremely suggested that each one Azure and Microsoft O365 admins are alert to the recent attacks at Microsoft and find out how to identify any suspicious and probably malicious behavior in their tenants.