New Tool To Detect Microsoft 365 Compromises

Uploaded on 2021-04-21 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help with the detection of potential compromise within Microsoft Azure and Microsoft 365 environments. The release of the tool comes after Microsoft disclosed how cyber criminals are using stolen credentials and access tokens to target Azure customers.

Called Aviary, the new tool is a dashboard that makes it easy to visualise and analyse output from Sparrow, the compromise detection tool that was first released in December 2020. Using a Splunk-based dashboard, the newly released Aviary is meant to facilitate the analysis of output data from Sparrow.

Built by CISA to help with the detection of malicious activity like the SolarWinds attack, Sparrow can be used by network defenders to hunt for potential malicious activity within Microsoft Azure Active Directory (AD), Microsoft 365 (M365), and Office 365 (O365) environments. “Frequently, CISA has observed the APT actor gaining Initial Access to victims’ enterprise networks via compromised SolarWinds Orion products like Solorigate and Sunburst.

“However, CISA is investigating instances in which the threat actor may have obtained initial access by Password GuessingPassword Spraying, and/or exploiting inappropriately secured administrative or service credentials instead of using the compromised SolarWinds Orion products, says the CISA in its Alert.

Sparrow was designed to help identify both accounts and applications that might have been compromised within an organisation’s Azure/M365 environment.

With Sparrow, defenders can look out for domain authentication or federation modifications, find new and modified credentials in logs, detect privilege escalation, detect OAuth consent and users’ consent to applications, identify anomalous SAML token sign-ins, and check the Graph API application permissions for service principals and apps in the environment, among others.

The tool is now available on GitHub, with additional information on how to install Aviary, after running Sparrow, included in CISA’s January announcement for the detection tool, which has been updated with instructions on using Aviary.

In addition to these tools, CISA released the Python-based CHIRP IOC detection tool in March, which can be used to identify signs of malicious activity linked to the SolarWinds cyber-attack on Windows operating systems within an on-premises environment. The tool examines Windows events logs and the Windows registry for evidence of intrusions, and can be used to query Windows artifacts and apply YARA rules to detect malware, backdoors, and implanted malicious code.

CERT CISA:       GitHub:     TechRadar:       Security Week:        HIPPA Journal:       Image: Unsplash

You Might Also Read: 

US Cyber Security To Get A Much Needed Upgrade:

 

« More Women Cyber Security Professionals Needed
Microsoft Buys Into AI Speech Recognition »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

FireEye

FireEye

FireEye delivers unmatched detection, protection and response technology through an extensible and flexible cloud-based XDR platform.

Cifas

Cifas

Cifas are leaders in fraud prevention, working closely with UK law enforcement partners.

Guardian360

Guardian360

The Guardian360 platform offers unrivalled insight into the security of your applications and IT infrastructure.

Inspirria Cloudtech

Inspirria Cloudtech

Inspirria Cloudtech is a specialized Cloud Technologies Services provider and Cloud Aggregator focused on executing cloud models for clients.

Recovery Point Systems

Recovery Point Systems

Recovery Point is a leading national provider of IT secure and compliant infrastructure and business resilience services.

Exponential-e

Exponential-e

Exponential-e provide Cloud and Unified Communications services and world-class Managed IT Services including Cybersecurity.

Cryptika

Cryptika

Cryptika is a fully integrated IT security and managed services provider, specialized in Next-Generation Cyber Security Technologies.

e5 Lab

e5 Lab

e5 Lab seeks to develop solutions to challenges faced by the shipping industry including digital transformation, autonomous technologies and big data in order to promote safe and efficient operations.

Lucidum

Lucidum

The Lucidum platform helps you assess risk and mitigate vulnerabilities by finding and correlating data from your security tech stack.

Trustifi

Trustifi

Trustifi leads the market with the easiest to use and deploy email security products, providing both inbound and outbound email security from a single vendor.

MoogleLabs

MoogleLabs

MoogleLabs leverage AI/ML, Blockchain, DevOps, and Data Science to come up with the best solutions for diverse businesses.

Halogen Group

Halogen Group

Halogen Group is the leading Security Solutions Provider in West Africa. Services encompass Physical Security, Electronic Security, Virtual & Cyber Security, Risk Assessments and Training.

Harbor Networks

Harbor Networks

Harbor Networks is a communications systems integrator and managed services provider. We provide business consultation services for voice and data communication technology.

Binalyze

Binalyze

Binalyze is the world's fastest and most comprehensive enterprise forensics solution. Our software helps you to collaborate and complete incident response investigations quickly.

Castlepoint Systems

Castlepoint Systems

Castlepoint Systems is a pioneer in information governance, risk and compliance as a service. An all-in-one solution offering powerful risk management, built in compliance, cybersecurity and audit.

Scality

Scality

Scality storage unifies data management from edge to core to cloud. Our market-leading file and object storage software protects data on-premises and in hybrid and multi-cloud environments.