CISA’s Sparrow.ps1 tool detects malicious activity on Azure, Microsoft 365

The new free tool called Sparrow.ps1 is intended for use by incident responders.

Microsoft Azure just like any cloud tool is vulnerable because of the simple fact that it is online. Moreover, since it is used by many high-profile companies and government agencies alike, its vulnerability poses a big threat to the data and other resources of said organizations.

Keeping this in mind, just recently, the Cybersecurity and Infrastructure Security Agency (CISA) of Homeland Security has released a new tool on Github that can help network admins secure their data on Microsoft 365 and Azure.

[Related: Best OSINT Tools for 2020]

Regarding the use-case of the tool, it specifically analyses those activities that are often targeted by attackers in authentication based attacks. These could be both user and application generated making it easier to know when an account or a specific application has been compromised and therefore allow the victim to take mitigatory measures in time.



Commenting on the technicalities, the official Github page stated,

Sparrow.ps1 will check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/M365 for certain indicators of compromise (IoC’s), list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files in a default directory.

On the other hand, it is also important to understand that the tool is not a full-fledged security system and so should not be used as “a replacement for intrusion detection systems.” The reasoning behind this is that its main aim is to only cover those types of attacks that have been recently seen happen to “federated identity sources and applications” rather than every sector at large.

For those that may be interested in using the tool, it requires certain permissions that have been detailed on its Github page along with the presence of 3 specific Powershell modules. Once these are present, no extra installation procedure is needed and you should be good to go.

To conclude, this happens to be a good contribution to the cybersecurity arena, particularly by the public sector and serves as a step that could be followed by other government agencies worldwide as well. For the future, there’s still a long way to go through in order to fully secure cloud environments.

You may also like...