FireEye has launched Azure AD Investigator, an auditing script that lets organizations check their Microsoft 365 tenants for indicators of compromise (IOCs) that require further verification and analysis, according to the company.
The FireEye release comes after cybercriminals weaponized the SolarWinds Orion platform to distribute SUNBURST malware to government, consulting, technology, telecom and oil and gas organizations around the world.
Azure AD Investigator alerts Microsoft 365 administrators and security practitioners about artifacts that may require additional review to determine if they are malicious or part of legitimate activity, FireEye said. It enables these admins and practitioners to watch for techniques associated with SolarWinds Orion attacks and other threat activity, including:
- Theft of Active Directory Federation Services (AD FS) Token-Signing Certificate: Cybercriminals may steal the ADFS token-signing certificate and use it to forge tokens for arbitrary users, which enables them to access Microsoft 365 as any user without their password or corresponding multi-factor authentication (MFA) mechanism.
- Modify or Add Trusted Domains in Azure AD: Cybercriminals may modify or add trusted domains in Azure AD to create a new federated Identity Provider (IdP) that lets them forge tokens for arbitrary users.
- Compromise On-Premises User Accounts: Cybercriminals may compromise on-premises user accounts synchronized to Microsoft 365 that have high-privileged directory roles.
- Use a Backdoor to Access Microsoft 365 Apps: Cybercriminals may leverage a backdoor to access existing Microsoft 365 applications and add a new app or service principal credential, so they can use legitimate permissions assigned to an app.
Azure AD Investigator also contains a PowerShell module for detecting artifacts that may be high-fidelity and dual-use IOCs associated with the SolarWinds Orion attacks and other malicious activities, FireEye stated. It cannot identify a compromise 100 percent of the time, and FireEye recommends organizations perform additional analysis and verification of IOCs identified by the script to determine if they are related to legitimate admin activity or threat actors.
Azure AD Investigator is now available via GitHub.