Tuesday, December 29, 2020

CISA Sparrow - Looking for Indicators of Compromise in Azure/M365


The US Cybersecurity and Infrastructure Security Agency (CISA) gave Azure/M365 admins a late December present. GitHub - cisagov/Sparrow.  The purpose is to look for known Advanced Persistent Threat indicators in Azure/Microsoft 365.

Here is a bit of background looking at what the script does and does not do.  I will leave out analysis of the code used, as they may evolve.  Please look at the source on GitHub. 

Sparrow.ps1 looks primarily at AzureAD Service Principals of type: Application and MS Graph and at the Unified Audit Log.

If you have a suspect Azure AppID, and you have M365 E5/G5 (or a plan that tracks the MailItemsAccessed operation in the Unified Audit Log) this AppID can be supplied, and an export of the mail items accessed by the suspect AppID will be logged as an operation within this script.

What is this script checking?

Sparrow.ps1 is looking for the top 5000 results in the following areas of the Unified Audit Log (UAL):

VERBOSE: Searching for 'Set domain authentication' and 'Set federation settings on domain' operations in the UAL.
VERBOSE: Searching for 'Update application' and 'Update application ? Certificates and secrets management' in the UAL.
VERBOSE: Searching for 'Update service principal' and 'Add service principal credentials' in the UAL.
VERBOSE: Searching for 'Add app role assignment to service principal', 'Add app role assignment grant to user', and
'Add app role assignment to group' in the UAL.
VERBOSE: Searching for 'Add OAuth2PermissionGrant' and 'Consent to application' in the UAL.
VERBOSE: Searching for 16457 in UserLoggedIn and UserLoginFailed operations in the UAL.
VERBOSE: Searching for PowerShell logins into mailboxes in the UAL.
VERBOSE: Searching for PowerShell logins using known PS application ids in the UAL.

What is Sparrow.ps1 NOT checking?

Sparrow is not looking at your tenant configuration or Exchange Client Access configuration.  Nor is it making any analysis of your Allow/Block Lists in Exchange Online Protection.  Recommend a few links on these areas: 

Mailbox audit logging is enabled by default for mailboxes as of Janurary 2019.  You may need to enable it per mailbox for older mailboxes. Manage mailbox auditing - Microsoft 365 Compliance | Microsoft Docs

Reviewing Sparrow Output

Depending on the size of your tenant, the top 5000 results is going to generate a LOT of info to comb through.  I am not a CyberSecurity guy, so I am not going to attempt to rank these Indicators of Compromise by severity.  Suffice to say that some of these are standard operations in AzureAD and are of lesser concern.