New Tool To Detect Microsoft 365 Compromises

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help with the detection of potential compromise within Microsoft Azure and Microsoft 365 environments. The release of the tool comes after Microsoft disclosed how cyber criminals are using stolen credentials and access tokens to target Azure customers.

Called Aviary, the new tool is a dashboard that makes it easy to visualise and analyse output from Sparrow, the compromise detection tool that was first released in December 2020. Using a Splunk-based dashboard, the newly released Aviary is meant to facilitate the analysis of output data from Sparrow.

Built by CISA to help with the detection of malicious activity like the SolarWinds attack, Sparrow can be used by network defenders to hunt for potential malicious activity within Microsoft Azure Active Directory (AD), Microsoft 365 (M365), and Office 365 (O365) environments. “Frequently, CISA has observed the APT actor gaining Initial Access to victims’ enterprise networks via compromised SolarWinds Orion products like Solorigate and Sunburst.

“However, CISA is investigating instances in which the threat actor may have obtained initial access by Password GuessingPassword Spraying, and/or exploiting inappropriately secured administrative or service credentials instead of using the compromised SolarWinds Orion products, says the CISA in its Alert.

Sparrow was designed to help identify both accounts and applications that might have been compromised within an organisation’s Azure/M365 environment.

With Sparrow, defenders can look out for domain authentication or federation modifications, find new and modified credentials in logs, detect privilege escalation, detect OAuth consent and users’ consent to applications, identify anomalous SAML token sign-ins, and check the Graph API application permissions for service principals and apps in the environment, among others.

The tool is now available on GitHub, with additional information on how to install Aviary, after running Sparrow, included in CISA’s January announcement for the detection tool, which has been updated with instructions on using Aviary.

In addition to these tools, CISA released the Python-based CHIRP IOC detection tool in March, which can be used to identify signs of malicious activity linked to the SolarWinds cyber-attack on Windows operating systems within an on-premises environment. The tool examines Windows events logs and the Windows registry for evidence of intrusions, and can be used to query Windows artifacts and apply YARA rules to detect malware, backdoors, and implanted malicious code.

CERT CISA:       GitHub:     TechRadar:       Security Week:        HIPPA Journal:       Image: Unsplash

You Might Also Read: 

US Cyber Security To Get A Much Needed Upgrade:

 

« More Women Cyber Security Professionals Needed
Microsoft Buys Into AI Speech Recognition »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Berkman Klein Center for Internet & Society

Berkman Klein Center for Internet & Society

The Berkman Klein Center for Internet & Society is a research center at Harvard University that focuses on the study of cyberspace.

Advisen

Advisen

Advisen is the leading provider of data, media, and technology solutions for the commercial property and casualty insurance market including cyber risk.

CyberOwl

CyberOwl

CyberOwl builds on cutting-edge research and combines decades of experience in developing, securing and operating large distributed systems.

SCADAfence

SCADAfence

SCADAfence offers cutting edge cybersecurity solutions designed to ensure the operational continuity of industrial (ICS/SCADA) networks.

Avansic

Avansic

Avansic is a leading provider of e-discovery and digital forensics services to attorneys, litigation support teams, and business communities.

Infopulse

Infopulse

Infopulse is a global provider of Software Engineering, Cloud & IT Infrastructure Management, and Cybersecurity services.

Ashley Page

Ashley Page

Ashley Page offer a unique cyber insurance and risk management solution - Cyber+Insure.

WWPass

WWPass

WWPass is a global cybersecurity company that provides password-less authentication and client-side encryption technology.

GB Group (GBG)

GB Group (GBG)

GBG is a global technology specialist in fraud, location and identity data intelligence.

ACA Compliance Group

ACA Compliance Group

ACA Compliance Group (ACA) is a leading global provider of governance, risk, and compliance advisory services and technology solutions.

Vumetric Cybersecurity

Vumetric Cybersecurity

Vumetric is an ISO9001 certified company offering penetration testing, IT security audits and specialized cybersecurity services.

CyberGuard Technologies

CyberGuard Technologies

CyberGuard Technologies provides a suite of fully managed end-to-end security services from its 24/7 UK security operations centre.

N-able

N-able

N-Able deliver simple and sophisticated monitoring, security, and business solutions that empower you to solve your toughest IT challenges.

CommandK

CommandK

CommandK provides companies with infrastructure to protect their sensitive data. Built-in solutions to prevent data-leaks and simplify governance.

V2X

V2X

V2X delivers IT support, networking, and cybersecurity solutions that ensure optimal mission support and performance.

Afripol

Afripol

AFRIPOL was set up to strengthen cooperation between the police agencies of AU member states in the prevention and fight against organized transnational crime, terrorism, and cybercrime.