The Cybersecurity and Infrastructure Security Agency (CISA) has launched a detection tool to identify any unusual or malicious activities in an Azure/Microsoft O365 environment. The agency stated the free detection tool, dubbed Sparrow, is created in response to the recent identity and authentication-based attacks targeting Azure users.
How Sparrow Works?
Sparrow is a PowerShell-based tool created by CISA’s Cloud Forensics team to help Azure administrators find compromised Azure accounts and applications. Sparrow detects unusual intrusions and anomalies by verifying the unified Azure/M365 audit log for indicators of compromise (IoCs), lists Azure AD domains, and checks Azure service principals and their Microsoft Graph API permissions.
“The tool is intended for use by incident responders and focuses on the narrow scope of user and application activity endemic to identity and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data and is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications,” CISA said.
Once installed, the Sparrow detection tool analyzes the machine based on multiple parameters. These include:
- Searches for any modifications to the domain and federation settings on a tenant’s domain.
- Searches for any modifications or credential modifications to an application.
- Searches for any modifications or credential modifications to a service principal.
- Searches for any app role assignments to service principals, users, and groups.
- Searches for any OAuth or application consents.
- Searches for SAML token usage anomaly (User Authentication Value of 16457) in the Unified Audit Logs.
- Searches for PowerShell logins into mailboxes.
- Searches for well-known AppID for Exchange Online PowerShell.
- Searches for well-known AppID for PowerShell.
- Searches for the AppID to see if it accessed mail items.
- Searches for the AppID to see if it accessed Sharepoint or OneDrive items.
- Searches for WinRM useragent string in the user logged in and user login failed operations.
There are no extra steps required to install Sparrow. However, CISA said, “The function, Check-PSModules, will check to see if the three required PowerShell modules are installed on the system and if not, it will use the default PowerShell repository on the system to reach out and install. If the modules are present but not imported, the script will also import the missing modules so that they are ready for use.”
The required PowerShell modules include:
CISA strongly recommended all Azure and Microsoft O365 admins to learn how to spot suspicious activities using the Sparrow detection tool.