The Cybersecurity and Infrastructure Security Agency (CISA) has created a free tool to identify unusual activity that could have potentially malicious repercussions that could threaten users and applications in an Azure/Microsoft O365 environment.
This tool, Sparrow.ps1 has been developed with the intention for use by incident responders and is highly focused on activities that are specifically related to the recent authentication-based attacks that have been running riot in several sectors.
How does the tool work?
CISA’s Cloud Forensics team’s brainchild, Sparrow.ps1, helps to identify suspected compromised accounts and applications in the Azure/Microsoft O365 environment.
The main intention is to narrow a large set of data and focus on the available investigation modules and telemetry to those accounts that have targeted in the recent attacks.
Sparrow.ps1 will check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/Microsoft O365 for certain indicators of compromise (IoC’s), list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files in a default directory.
A few AzureAD/m365 permissions are required to run Sparrow.ps1, and provide it read-only access to the Tenant.
- Azure Active Directory:
- Security Reader
- Security and Compliance Center:
- Compliance Adminstrator
- Exchange Online Admin Center: Utilize a custom group for these specific permissions:
- Mail Recipients
- Security Group Creation and Membership
- User options
- View-Only Audit log
- View-Only Configuration
- View-Only Recipients
To check for the MailItemsAccessed Operation, your tenant organization requires an Office 365 or Microsoft 365 E5/G5 license.
The function, Check-PSModules, will check to see if the three required PowerShell modules are installed on the system and if not, it will use the default PowerShell repository on the system to reach out and install. If the modules are present but not imported, the script will also import the missing modules so that they are ready for use.
It is highly recommended that all Azure and Microsoft O365 admins are aware of the recent attacks at Microsoft and learn how to spot any suspicious and potentially malicious behavior in their tenants.