Friday, March 29, 2024

CISA Releases Free Azure, Microsoft 365 Malicious Activity Detection Tool

The Cybersecurity and Infrastructure Security Agency (CISA) has created a free tool to identify unusual activity that could have potentially malicious repercussions that could threaten users and applications in an Azure/Microsoft O365 environment. 

This tool, Sparrow.ps1 has been developed with the intention for use by incident responders and is highly focused on activities that are specifically related to the recent authentication-based attacks that have been running riot in several sectors.

AWS certifications are the perfect way for you to validate your cloud expertise and highlight your in-demand skills. Organizations today need effective and innovative professionals who can take on cloud initiatives. Thankfully, AWS offers a wide range of certifications based on specialty and roles that have been designed to empower you to meet your goals. The role-based certifications are for those in Cloud Practitioner, Developer, Operations, and Architect roles and specialty certifications are for specific technical areas. These certifications can help you build credibility and confidence by validating your expertise. It is a globally recognized credential that helps organizations identify skilled professionals.

How does the tool work?

CISA’s Cloud Forensics team’s brainchild, Sparrow.ps1, helps to identify suspected compromised accounts and applications in the Azure/Microsoft O365 environment.

The main intention is to narrow a large set of data and focus on the available investigation modules and telemetry to those accounts that have targeted in the recent attacks.

Sparrow.ps1 will check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/Microsoft O365 for certain indicators of compromise (IoC’s), list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files in a default directory.

System Requirement

A few AzureAD/m365 permissions are required to run Sparrow.ps1, and provide it read-only access to the Tenant.

  • Azure Active Directory:
    • Security Reader
  • Security and Compliance Center:
    • Compliance Adminstrator
  • Exchange Online Admin Center: Utilize a custom group for these specific permissions:
    • Mail Recipients
    • Security Group Creation and Membership
    • User options
    • View-Only Audit log
    • View-Only Configuration
    • View-Only Recipients

To check for the MailItemsAccessed Operation, your tenant organization requires an Office 365 or Microsoft 365 E5/G5 license.

Installation

The function, Check-PSModules, will check to see if the three required PowerShell modules are installed on the system and if not, it will use the default PowerShell repository on the system to reach out and install. If the modules are present but not imported, the script will also import the missing modules so that they are ready for use.

Conclusion

It is highly recommended that all Azure and Microsoft O365 admins are aware of the recent attacks at Microsoft and learn how to spot any suspicious and potentially malicious behavior in their tenants.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles