Sparrow.ps1: Free Azure/Microsoft 365 incident response tool
Because of the growing popularity and adoption of cloud computing including software-as-a-service (SaaS) applications amongst consumers and organizations, there has been an increasing number of attacks involving Microsoft Office 365 and the Azure Active Directory environment, stemming from phishing attacks, business email compromise, supply-chain attacks and more.
In January 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an alert, warning the public that the advanced persistent threat (APT) actors behind the SolarWinds attack are leveraging attack vectors such as credential stuffing, brute-force attacks and more to gain access to organizations’ cloud resources.
To this effect, CISA has developed a free tool — Sparrow — which can be used to detect malicious activities in an Azure/Microsoft Office 365 environment.
Learn Incident Response
What is Sparrow.ps1?
Sparrow is a PowerShell tool developed by CISA’s Cloud Forensics team to detect malicious activities such as possibly compromised accounts and applications in the Azure or Microsoft Office 365 environment. The tool was developed due to the increased number of identity and authentication-based attacks on Azure and Microsoft Office 365 detected in multiple sectors recently.
The tool can be used by network security analysts and incident responders and is focused on modules that are specific to recent attacks on federated identity sources and applications. It works identifying indicators of compromise (IoCs) associated with the recent attacks
The tool which was made available for public use can be found on CISA’s GitHub page.
How does Sparrow.ps1 work?
When deployed, Sparrow will do the following:
- Check and install the required PowerShell modules (ExchangeOnlineManagement, AzureAD and MSOnline).
- Check the unified audit logs in Azure and Microsoft Office 365 for certain IoCs.
- List Azure AD domains.
- Check Azure service principles and their Microsoft Graph API permissions to identify potentially malicious activities.
Sparrow can be used for the following:
- Detect modifications to the domain and federation settings on the tenant’s Azure AD domains.
- Detect modifications of service principles and application credentials by creating a timeline for all credential changes.
- Detect privilege escalation such as elevating the privileges/permissions of service principles, user or group.
- Detect OAuth’s consent and users’ consent to applications.
- Identify anomalous Security Assertion Markup Language (SAML) token sign-ins in the unified audit log (filtering on user authentication value = 16457).
- Review the PowerShell logs (focusing on mailbox sign-ins and PowerShell usage) exported by Sparrow.
- Review the Graph API application permissions of all service principles and applications.
- Review MailItemsAccessed for application IDs used in accessing users’ mailboxes.
Sparrow requirements
Before installing and running Sparrow in your Microsoft O365 and Azure environment, you need the following permissions:
- Azure Active Directory — security reader
- Security and Compliance Center — compliance administrator
- Exchange Online Admin Center: You need a create a custom group with these specific permissions:
- Mail recipients
- Security group creation and membership
- User options
- View-only audit log
- View-only configuration
- View-only recipients
To be able to check MailItemsAccessed, your tenant needs to have an Office 365 or Microsoft 365 E5/G5 license.
Unified audit logs need to be enabled.
Learn Incident Response
Sparrow: Practical applications
After deploying Sparrow in your IT environment, you should do the following:
- Audit the creation, use and modifications of service principles and applications by looking for unusual application usage or assignment of credentials to applications that allow non-interactive sign-in by the application.
- Look for unexpected trust relationships that have been added to Azure AD (including non-interactive sign-ins).
- Audit login details of administrative accounts (including unusual sign-in locations, dates, times, number of attempts and others).
- Review unauthorized changes to token validation periods (especially those with high values).
- Review OAuth consents and consents made to applications.
- Review instances of excessive-high permissions including but not limited to Exchange Online, Microsoft Graph and Azure AD Graph.
- Identify manipulation of custom or third-party applications in the Azure tenant.
- Review permissions of application in Microsoft O365 and Azure AD.
Sources
CISA Gov, GitHub
CISA, Alert (AA21-008A)