Tuesday, December 29, 2020

CISA Sparrow - Looking for Indicators of Compromise in Azure/M365


The US Cybersecurity and Infrastructure Security Agency (CISA) gave Azure/M365 admins a late December present. GitHub - cisagov/Sparrow.  The purpose is to look for known Advanced Persistent Threat indicators in Azure/Microsoft 365.

Here is a bit of background looking at what the script does and does not do.  I will leave out analysis of the code used, as they may evolve.  Please look at the source on GitHub. 

Sparrow.ps1 looks primarily at AzureAD Service Principals of type: Application and MS Graph and at the Unified Audit Log.

If you have a suspect Azure AppID, and you have M365 E5/G5 (or a plan that tracks the MailItemsAccessed operation in the Unified Audit Log) this AppID can be supplied, and an export of the mail items accessed by the suspect AppID will be logged as an operation within this script.

What is this script checking?

Sparrow.ps1 is looking for the top 5000 results in the following areas of the Unified Audit Log (UAL):

VERBOSE: Searching for 'Set domain authentication' and 'Set federation settings on domain' operations in the UAL.
VERBOSE: Searching for 'Update application' and 'Update application ? Certificates and secrets management' in the UAL.
VERBOSE: Searching for 'Update service principal' and 'Add service principal credentials' in the UAL.
VERBOSE: Searching for 'Add app role assignment to service principal', 'Add app role assignment grant to user', and
'Add app role assignment to group' in the UAL.
VERBOSE: Searching for 'Add OAuth2PermissionGrant' and 'Consent to application' in the UAL.
VERBOSE: Searching for 16457 in UserLoggedIn and UserLoginFailed operations in the UAL.
VERBOSE: Searching for PowerShell logins into mailboxes in the UAL.
VERBOSE: Searching for PowerShell logins using known PS application ids in the UAL.

What is Sparrow.ps1 NOT checking?

Sparrow is not looking at your tenant configuration or Exchange Client Access configuration.  Nor is it making any analysis of your Allow/Block Lists in Exchange Online Protection.  Recommend a few links on these areas: 

Mailbox audit logging is enabled by default for mailboxes as of Janurary 2019.  You may need to enable it per mailbox for older mailboxes. Manage mailbox auditing - Microsoft 365 Compliance | Microsoft Docs

Reviewing Sparrow Output

Depending on the size of your tenant, the top 5000 results is going to generate a LOT of info to comb through.  I am not a CyberSecurity guy, so I am not going to attempt to rank these Indicators of Compromise by severity.  Suffice to say that some of these are standard operations in AzureAD and are of lesser concern.

Wednesday, August 19, 2020

EVE Echoes Fleet Operations

  1. Creating a Fleet
  2. Adding players
    1. Inviting Others
    2. Join a Fleet
    3. Select a Commander
    4. Deputies
  3. Encounters and Bounties
  4. Assigning Commands
  5. Setting Fleet Actions

1. Create a Fleet 

From the Main Menu, tap the Fleet icon at the bottom.  Tap Create Fleet.  Invite seems to only work Locally or Regionally.  Friends and Corporate filters do nothing (for me, at the time of this writing).

Alternatively, create a fleet in an ad-hoc basis by tapping on another player and getting into their Contact Card.  Select Team Up option to instantly create a fleet with someone.

2. Adding Players

Inviting others:

I think the best way is to tap on a player from chat or contacts, and Team Up with them.  If they're already in another Fleet, this will fail and give you a message.  If not, they will receive a fleet invite notification on-screen.

Join a Fleet:

From the Fleet screen, there is a Find feature.  Go find some randos.

Select a Commander:

If you haven't gained familiarity with Fleet Operations, then you can assign another member as Commander and make them do all the work.


I don't have a firm handle on what roles and permissions come with being a Deputy.  Needs more info and testing.  I think they can set Commands but not Fleet Actions.

3. Encounters and Bounties:

Encounters are a good way to get specific tier missions with dedicated Cosmic Anomalies (not publicly accessible).  As long as the bounties are shared by all fleet members (seems this is currently bugged), decent profits are to be had by all.  Regular Cosmic Anomalies in systems are also good to attack as a group (and definitely keep an eye out for Scout and Inquisitor Anomalies!).  

4.Assigning Commands:

Commands are available in the left-hand menu that appears when you are in a Fleet, regardless of your position within the fleet.  

Fleet Commands (left)

Two Locate Commands: 

Located Here - Sends a ping to members.  If they accept, they will travel to the location broadcast.
Stand by - I dunno.  Haven't used it yet. 

Two Help Commands:

Repair Required 
Capacitor Required 

5.Setting Fleet Actions:

A Fleet Commander gets extra Fleet Command actions when tapping on locations in the Navigation menu (the right-side menu where you toggle between Ships/Mining/Stations, etc.)  This is the good stuff.  This is what makes a fleet a cohesive group.  

DO: Use Fleet Commands to move as a group.
DON'T: Spam Locate Here commands to get people to try to catch up.


Movement Between Systems

For a multi-jump route, Fleet Commander should plot it out on Autopilot, but do not engage.  With the course plotted, Stargates turn yellow as they are on the route.  

Route Set - Gate Highlighted

Move to systems in a route:
Find the next Stargate on your route. Tap it.
Tap Fleet Command.
Tap Jump Fleet.

Your Fleet will now perform a coordinated jump to the next system.  Repeat this for a multi-hop route.

Coordinating Movements In-System

Now that we can get across systems, what do we do when we get there?

Similar to Jump Fleet, you can Warp Fleet to points of interest in the Navigation Menu.  This will very helpfully drop fleet members into an Anomaly or Mining instance at the same time.

Warp Fleet

Friday, July 17, 2020

Skype for Business Online sessions now available through Teams PowerShell Module

The June 2020 preview (but generally available) update to the Microsoft Teams powershell module allows creation of SFB Online sessions, without the Windows-specific binaries.  Short version: no more SFB Online Module install requirements, and now the session is available cross-platform!

First, it is recommended to remove any prior versions of the MicrosoftTeams module, as well as SFB Online if you had it.  This article will use Azure Cloud Shell, which works in a web browser.

Azure Shell: Clean up installed modules.

Normally available via https://shell.azure.com, or by clicking the Cloud Shell button in the title bar of https://portal.azure.com.

Remove all instances of the MS Teams module, we will need a specific public preview release to get going with SFBO sessions.  (Not needed if you are starting from scratch with no prior SFBO/Teams modules)

Uninstall-Module MicrosoftTeams -AllVersions -Force

Get current Teams module installed

Install June 2020 Preview release of Microsoft Teams module from https://www.powershellgallery.com/api/v2 (this is a default source if PSGet is installed)

Install-Module MicrosoftTeams -RequiredVersion 1.1.3-Preview -AllowPrerelease 

Import-Module MicrosoftTeams

Create a session for SFBO and then connect to it

$sfbsession = New-CsOnlineSession

Cloud Shell/Mac/other non-Windows: This login will prompt the "device based login" Modern Authentication experience:

Import-PSSession $sfbsession -AllowClobber

Tada - we have a SFBOnline session, with the expected cmdlets available and functioning: 

Friday, May 22, 2020

X4: Foundations Boarding (3.20 Beta)

Boarding in X4 is a bit of an arcane subject.  Start with the basics.

  • Target shields will not affect boarding.  (They had to be under 5% in X3 otherwise marines died on the hull.)
  • Surface Elements (engines and turrets in particular) contribute to Target Combat Effectiveness, which is the deciding factor when configuring the Approach phase of boarding.
  • DO remove turrets and engines.  Target will attempt to repair, dispatch any repair or defense drones, as well as lasertowers or other hostiles.
  • DO practice on pirates in otherwise friendly territory.  I have not graduated to "hot" boarding ops in unfriendly sectors.  (I did take a PAR Odysseus in ZYA space, with a decent reputation hit.)
  • Hull strength can be 100%, but this directly contributes to how much time the Infiltration phase takes.  80% seems to be a good point for quicker breach.


Attacking ship - Small and fast with a punch is a good mix.  I like any fighter with Plasma cannons, or an M- class with decent frontal weaponry.  Small and fast is good for avoiding big ship defenses.  Plasma packs a punch to get rid of surface elements.

Target Selection - I like the Split Rattlesnake Destroyer (L), and 92 marines are cheaper than shipyard prices.  Plus, there is a Pirate-ish faction that flies the Rattlesnake, Fallen Families (FAF).  These are military ships and tend to have a complement of decent-skilled Marines.  It will be a meat grinder.

Scan your target - This will show you the makeup of the crew, and total number of crew on the ship.  Service crew are squishy and don't contribute much defense.  Marines will be much stronger resistance.

Marine Prep - Assemble a large squad of marines.  You will need some good ones, and a lot of Recruits, but plan on sending the max capacity of the target.  Fast ships are NOT necessary, as long as you can completely disable your target.

Disable Target - I go for engines first.  Engines are normally in a defensive blind spot.  Start there, and move on to Turrets.  I tend to leave Shield modules intact unless they are preventing me from taking out turrets.

Marine Approach - Order your ships carrying marines to close in on the target.  DO NOT assign the Board order from long distance.  Ships will close distance by Boosting, which is just dumb.  Fly To orders will use Travel Drive.  Do both!  Set Fly To orders, then Board orders directly afterward.

Keep Target Disabled - Prolonged attacks are not necessary.  The target will very slowly attempt to repair engines for escape, and may drop defense drones, lasertowers, and repair drones to avoid your attack.

Once all pods have arrived at the target ship, the operation goes into the Infiltration phase (cutting through the hull).  Screenshot:

Here I had a number of ships selected in a single Board command, so they are all on the roster.  Each one had a different makeup of Marines.  Upon scanning my target, I found it had 25 Marines (2-3.5 stars each) and 30 crew.  My marines didn't even get to 2 stars, but I was bringing 83 Veterans and 9 Recruits to the party. The Target ship has a strong defense value, but I'm coming at the operation with about 1.5x the strength.  2.0x would be preferred, but this target was encroaching on my territory and I didn't want to have any fallout with my traders.

Last tip for operation setup: I tell all participating ships to Maintain Distance.  I don't want these Rattlesnakes lighting up my boarding operation.  I can keep engines and turrets disabled with my fighter.

When setting up the Boarding op, the default value for "Launch Pods at Combat Effectiveness" is "Weak".  I don't even order the Boarding op until all turrets are destroyed, which leaves a target at Very Weak.  Default for "Start Breaching at  Hull Strength is "Strong".  I don't know what percentage that is, but this target is already at 75% hull.  The phase would start once all pods have made contact anyway.

Approach Phase is mostly covered above.  Disable the target and select your marines to be deployed.

Infiltration Phase - Hull % directly affects how fast your marines will make it through.  There is no separate Marine Skill for this like in X3.  I don't know if there is anything like Morale effect, but at 75% the marines are through in a minute or two.

Assault Phase -  Here is a RNG-based go around, mostly determined by the Boarding Attack Strength and Boarding Resistance values shown on the screen.

Assault Analysis

I've setup a scenario which is repeatable and safe to do some analysis on the RNG and Boarding Strength variables.

First off, there's a save file.  https://drive.google.com/file/d/1t8Wz6WO7-rCXfNYHpqplulRyhZqGm9Z3/view?usp=sharing

I have run 10 operations with the same config (the save point is after the Approach phase, and in the middle of Infiltration).

Assault Stats:

Target: FAF Rattlesnake (Capacity: 92)
25 Veteran Marines
30 Crew

83 Veteran Marines
9 Recruit Marines

Attempt 1: Success!
Survivors: 25 Veterans, 2 Recruits

Attempt 2: Success!
Survivors: 30 Veterans, 2 Recruits

Attempt 3: Success!
Survivors: 23 Veterans, 0 Recruits

Attempt 4: Success!
Survivors: 26 Veterans, 0 Recruits

Attempt 5: Success!
Survivors: 21 Veterans, 1 Recruit

Attempt 6: Success!
Survivors: 24 Veterans, 2 Recruits

Attempt 7: Success!
Survivors: 25 Veterans, 0 Recruits

Attempt 8: Success!
Survivors: 20 Veterans, 3 Recruits

Attempt 9: Success!
Survivors: 26 Veterans, 7 Recruits

Attempt 10: Success!
Survivors: 21 Veterans, 1 Recruit