A new PowerShell solution from the Cybersecurity and Infrastructure Security Agency (CISA) aims to help Azure and Microsoft 365 accounts detect malicious applications. It will also help to find legitimate apps that may have been compromised.
Microsoft has recently confirmed stolen Azure/Microsoft 365 credentials and access tokens are being used by attackers against its customers. This is related to the Solarigate malware attack against the SolarWinds Orion app. CISA has previously warned about rushed Office 365 deployments causing security holes for organizations.
Following the latest disclosure, CISA has developed a tool to help detect apps with potential malware. Microsoft is urging its customers to review its disclosure and learn how to sport potentially harmful behavior in apps.
CISA says the new tool can help customers on Azure and Microsoft 365.
“CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment,” the US federal agency says.
“The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.”
The tool is based on Microsoft’s PowerShell and was developed by the Cloud Forensics team within CISA. It is known as Sparrow and looks through Azure and Microsoft 365 audit logs for signs of breach. Furthermore, Sparrow lists Azure AD domains.
Below is the list of checks the tool performs:
- Searches for any modifications to the domain and federation settings on a tenant’s domain
- Searches for any modifications or credential modifications to an application
- Searches for any modifications or credential modifications to a service principal
- Searches for any app role assignments to service principals, users, and groups
- Searches for any OAuth or application consents
- Searches for SAML token usage anomaly (UserAuthenticationValue of 16457) in the Unified Audit Logs
- Searches for PowerShell logins into mailboxes
- Searches for well-known AppID for Exchange Online PowerShell
- Searches for well-known AppID for PowerShell
- Searches for the AppID to see if it accessed mail items
- Searches for the AppID to see if it accessed Sharepoint or OneDrive items
- Searches for WinRM useragent string in the user logged in and user login failed operations
Tip of the day:
Windows 10s Power Throttling can net up to 11% more battery savings per charge with little negative impact. In some scenarios you might consider turning Power Throttling off for single apps that you want run with maximum performance. Our tutorial shows you various methods to manage Power Throttling.