
close
close
The Cybersecurity and Infrastructure Security Agency (CISA) recently released a PowerShell-based tool to help organizations detect compromised accounts and applications in Microsoft Azure and 365.
Following the SolarWinds attack in late 2020, which used malicious SolarWinds files that could have given nation-states access to networks, Microsoft outlined the complex techniques used as part of the attack.
advertisment
The attack involved compromising a network through malicious code in the SolarWinds Orion product. It allowed the attacker to elevate privileges and get access to an organization’s trusted SAML token-signing certificate. Security Assertion Markup Language (SAML) is an open standard that facilitates user logon to on-premises and cloud services. The attacker could then forge SAML tokens to impersonate the organization’s existing users, including privileged accounts.
An attacker could access any resources trusted by an organization’s SAML token signing certificates. And because a signing certificate is the basis on which federated trust relationships are formed, service providers like Microsoft Azure might not detect forged tokens.
Microsoft says that its built-in security and monitoring features in its cloud were able detect any anomalies in SAML authentication. And that Microsoft Defender malware definitions have been updated to detect malicious SolarWinds files.
The CISA PowerShell tool is designed to detect unusual activity that might impact a Microsoft 365 or Azure environment.
advertisment
“CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors.”
The tool (sparrow.ps1) is available for free on GitHub. It can be used by incident responders to narrow the scope of user and application activity that might indicate authentication-based attacks. The tool checks the unified audit log in Azure for indicators of compromise, lists Azure AD domains, and checks Azure service principals and related Microsoft Graph API permissions to alert incident responders of potentially malicious activity.
Not to be left out, CrowdStrike has also created a PowerShell reporting tool for Azure. The tool is designed a bit differently from the CISA effort. CrowdStrike’s script is free and can be downloaded on GitHub.
The script is designed to expose information about permissions and configuration settings that are hard to find in Azure, like Mail Forwarding Rules for Remote Domains, Exchange Online PowerShell Enabled Users, and Service Principal Objects with KeyCredentials.
advertisment
The tool came about as CrowdStrike was investigating whether its systems had been compromised as part of the SolarWinds attack. Microsoft had informed the company that an Azure reseller’s account was being used to try and read CrowdStrike emails using a compromised Azure account. The attempted breach turned out to be unsuccessful.
While these two tools have been designed to work specifically with Azure and Microsoft 365, the SAML issue that was exploited during the SolarWinds attack isn’t unique to Microsoft. SAML is widely used and it could affect other organizations and service providers.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Security
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft's New Security Experts Service Protects Businesses Against Ransomware Attacks
May 9, 2022 | Rabia Noureen
Microsoft, Google, and Apple to Expand Passwordless Login Across All Major Platforms
May 5, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group