Cybersecurity and Infrastructure Security Agency has released a campaign which was based on the dashboard that assists while reviewing the post that compromises the activity present in Microsoft Azure Active Directory and Office 365.
Although Aviary assists the security teams by visualizing and analyzing the data outputs that were created with the help of Sparrow. It is an open-source PowerShell-based tool that is capable to identifies the potentially compromised applications and the accounts present or associated with Azure or Microsoft 365.
However, Sparrow was crafted to defends the hunt-down threat activity after the Solar Winds Orion supply chain attack has happened. Aviary is helping by reviewing the PowerShell commands that exports by the Sparrow, which deals with analyzing the PowerShell mailbox sing-ins and to verify the logins details are authorized or not.
It also capable to investigate the PowerShell usage for the users in the PowerShell environment and it also examines the Sparrow listed tenant Azure AD domains that can be modified.
Now the question that arises in your mind is how to use the Aviary? For this read the upcoming section respectively.
How to Access Aviary?
While working with Aviary user had to execute the following steps that include;
- Ingest Sparrow logs (sourcetype=csv)
- Import Aviary .xml code into dashboard
- Point the Aviary to Sparrow data with the help of index and host selection
- After that, Review the output by click on any UserId field value that is related to the activity of the Service Principal
Now moving to the next section to know how to recognize the data from the Sparrow?
The CISA encourages the network defenders who wanted to access the Aviary for a more straightforward output of the Sparrow while reviewing the AA21-008A alert that detects post-compromise activities present Microsoft Cloud Environment.
New Tools that Detect Malicious Activity
In March, Cybersecurity and Infrastructure Security Agency launch another program named CHIRP which tends for CISA Hunt and Incident Response Program. CHIRP is a Python-based forensics collection tool that detects the signs of SolarWinds hackers on the Windows OS.
Whereas, CrowdStrike assists the administrators by analyzing the Azure environment and get more access to the overview of what the privileges are assigned to the third-party resellers and partners.
FireEye also published a free tool dubbed the Azure AD Investigator that discovered the clues that indicate the other malicious activities by the state-backed actor that was behind the SolarWinds supply-chain attack.
However, these tools are developed and available for the users, after that the Microsoft disclosed how the stolen credentials have accessed the tokens by using the attacks that target the Azure users.