New Tool To Detect Microsoft 365 Compromises

Uploaded on 2021-04-21 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help with the detection of potential compromise within Microsoft Azure and Microsoft 365 environments. The release of the tool comes after Microsoft disclosed how cyber criminals are using stolen credentials and access tokens to target Azure customers.

Called Aviary, the new tool is a dashboard that makes it easy to visualise and analyse output from Sparrow, the compromise detection tool that was first released in December 2020. Using a Splunk-based dashboard, the newly released Aviary is meant to facilitate the analysis of output data from Sparrow.

Built by CISA to help with the detection of malicious activity like the SolarWinds attack, Sparrow can be used by network defenders to hunt for potential malicious activity within Microsoft Azure Active Directory (AD), Microsoft 365 (M365), and Office 365 (O365) environments. “Frequently, CISA has observed the APT actor gaining Initial Access to victims’ enterprise networks via compromised SolarWinds Orion products like Solorigate and Sunburst.

“However, CISA is investigating instances in which the threat actor may have obtained initial access by Password GuessingPassword Spraying, and/or exploiting inappropriately secured administrative or service credentials instead of using the compromised SolarWinds Orion products, says the CISA in its Alert.

Sparrow was designed to help identify both accounts and applications that might have been compromised within an organisation’s Azure/M365 environment.

With Sparrow, defenders can look out for domain authentication or federation modifications, find new and modified credentials in logs, detect privilege escalation, detect OAuth consent and users’ consent to applications, identify anomalous SAML token sign-ins, and check the Graph API application permissions for service principals and apps in the environment, among others.

The tool is now available on GitHub, with additional information on how to install Aviary, after running Sparrow, included in CISA’s January announcement for the detection tool, which has been updated with instructions on using Aviary.

In addition to these tools, CISA released the Python-based CHIRP IOC detection tool in March, which can be used to identify signs of malicious activity linked to the SolarWinds cyber-attack on Windows operating systems within an on-premises environment. The tool examines Windows events logs and the Windows registry for evidence of intrusions, and can be used to query Windows artifacts and apply YARA rules to detect malware, backdoors, and implanted malicious code.

CERT CISA:       GitHub:     TechRadar:       Security Week:        HIPPA Journal:       Image: Unsplash

You Might Also Read: 

US Cyber Security To Get A Much Needed Upgrade:

 

« More Women Cyber Security Professionals Needed
Microsoft Buys Into AI Speech Recognition »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Guardtime

Guardtime

Guardtime's Black Lantern platform provides real-time cybersecurity and data-centric asset protection.

Team8

Team8

Team8 is Israel’s most prestigious cybersecurity think tank and venture creation foundry.

Exprivia

Exprivia

Exprivia is active in the design, development and integration of IT systems including cyber security.

Avira

Avira

Avira provide a portfolio of antivirus, security and performance applications for Windows, Android, Mac, and iOS.

InnoValor

InnoValor

InnoValor realises value from digital innovation for organisations and government. We provide advisory services and develop innovative software solutions, based on our background in research.

Infosec Train

Infosec Train

Infosec Train provide professional training, certifications & professional services related to all spheres of Information Technology and Cyber Security.

Absio

Absio

Absio provides the technology you need to build data security directly into your software by default, and the design and development services you need to make it happen.

Blockchain Reactor

Blockchain Reactor

Blockchain Reactor is a blockchain consultancy and implementation company providing cutting-edge blockchain solutions for start-ups and enterprises.

GRSi

GRSi

GRSi deliver next-generation systems engineering, cybersecurity, technology insertion and best practices-based Enterprise Operations (EOps) management.

US Fleet Cyber Command (FLTCYBER)

US Fleet Cyber Command (FLTCYBER)

US Fleet Cyber Command is responsible for Navy information network operations, offensive and defensive cyberspace operations, space operations and signals intelligence.

Tetrate.io

Tetrate.io

Tetrate Service Bridge provides enterprises with a consistent, unified way to connect and secure services across an entire mesh-managed environment.

National Cybersecurity Alliance

National Cybersecurity Alliance

The National Cybersecurity Alliance is a non-profit organization on a mission to create a more secure, interconnected world.

CV-Library

CV-Library

Start your job search with 216,931 live UK vacancies on award-winning CV-Library. Register your CV and find local jobs near you today!

Ignite Cyber

Ignite Cyber

IGNITE Cyber is focused on enabling secure technology adoption through intelligent business decisions. We are focused on providing a secure and stable business environment for everyone.

Scality

Scality

Scality storage unifies data management from edge to core to cloud. Our market-leading file and object storage software protects data on-premises and in hybrid and multi-cloud environments.

XBOW

XBOW

XBOW brings AI to offensive security, augmenting the work of bug hunters and security researchers.