New Tool To Detect Microsoft 365 Compromises

Uploaded on 2021-04-21 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help with the detection of potential compromise within Microsoft Azure and Microsoft 365 environments. The release of the tool comes after Microsoft disclosed how cyber criminals are using stolen credentials and access tokens to target Azure customers.

Called Aviary, the new tool is a dashboard that makes it easy to visualise and analyse output from Sparrow, the compromise detection tool that was first released in December 2020. Using a Splunk-based dashboard, the newly released Aviary is meant to facilitate the analysis of output data from Sparrow.

Built by CISA to help with the detection of malicious activity like the SolarWinds attack, Sparrow can be used by network defenders to hunt for potential malicious activity within Microsoft Azure Active Directory (AD), Microsoft 365 (M365), and Office 365 (O365) environments. “Frequently, CISA has observed the APT actor gaining Initial Access to victims’ enterprise networks via compromised SolarWinds Orion products like Solorigate and Sunburst.

“However, CISA is investigating instances in which the threat actor may have obtained initial access by Password GuessingPassword Spraying, and/or exploiting inappropriately secured administrative or service credentials instead of using the compromised SolarWinds Orion products, says the CISA in its Alert.

Sparrow was designed to help identify both accounts and applications that might have been compromised within an organisation’s Azure/M365 environment.

With Sparrow, defenders can look out for domain authentication or federation modifications, find new and modified credentials in logs, detect privilege escalation, detect OAuth consent and users’ consent to applications, identify anomalous SAML token sign-ins, and check the Graph API application permissions for service principals and apps in the environment, among others.

The tool is now available on GitHub, with additional information on how to install Aviary, after running Sparrow, included in CISA’s January announcement for the detection tool, which has been updated with instructions on using Aviary.

In addition to these tools, CISA released the Python-based CHIRP IOC detection tool in March, which can be used to identify signs of malicious activity linked to the SolarWinds cyber-attack on Windows operating systems within an on-premises environment. The tool examines Windows events logs and the Windows registry for evidence of intrusions, and can be used to query Windows artifacts and apply YARA rules to detect malware, backdoors, and implanted malicious code.

CERT CISA:       GitHub:     TechRadar:       Security Week:        HIPPA Journal:       Image: Unsplash

You Might Also Read: 

US Cyber Security To Get A Much Needed Upgrade:

 

« More Women Cyber Security Professionals Needed
Microsoft Buys Into AI Speech Recognition »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Veeam

Veeam

Veeam is the leader in intelligent data management for the Hyper-Available Enterprise.

Cyber Together

Cyber Together

Cyber Together is dedicated to advancing the cyber security industry by giving businesses access to Israel’s leaders, innovators and great minds in the field of cyber security.

NTOP

NTOP

NTOP develop high-quality network traffic analysis and DDoS protection software used by small individuals as well by large telecom operators.

Synack

Synack

Synack provides a hacker-powered intelligence platform that uncovers security vulnerabilities that often remain undetected by traditional pen testers and scanners.

Cyversity

Cyversity

Cyversity's mission (formerly ICMCP) is the consistent representation of women and underrepresented minorities in the cybersecurity industry.

UltraSoC Technologies

UltraSoC Technologies

WisePlant

WisePlant

WisePlant's portfolio of solutions and services includes process measurement, secure automation, industrial cybersecurity, functional safety and more.

Qrator Labs

Qrator Labs

Qrator Labs is a leader in DDoS attack mitigation, helping organizations protect their websites from the most harmful, sophisticated DDoS attacks.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

Sovrin Foundation

Sovrin Foundation

The Sovrin Foundation is a private-sector, international non-profit that was established to govern the world's first self-sovereign identity (SSI) network.

MindWise

MindWise

MindWise is a comprehensive global threat monitoring solution with implementations for fraud prevention and enterprise threat intelligence.

Zenity

Zenity

Zenity is the first and only security governance platform for low-code/no-code applications.

IGI Cybersecurity

IGI Cybersecurity

IGI Cybersecurity delivers people-driven cybersecurity for personalized, resilient cyber defense focused on individualized strategy and unshakeable partnership.

Strivacity

Strivacity

Strivacity lets brands quickly add secure login and identity management capabilities to their customer-facing applications without tying up an army of developers or consultants to do it.

Myntex

Myntex

Myntex® builds the future of mobile security. We empower our partners to deliver exclusive mobile endpoint security software, fortifying against mobile threats, device exploits and data exfiltration.

Aquia

Aquia

Aquia are on a mission to enable innovation and drive transformative change to solve the world’s most pressing and complex cybersecurity challenges.