CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments

Share this article on:

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to accompany the open-source PowerShell-based Sparrow detection tool released in December 2020 to help network defenders detect potential compromised accounts in their Azure, Microsoft 365, and Office 365 environments.

Sparrow was created following the SolarWinds cyberattack to help network defenders identify whether their cloud environments had been compromised. The new tool, named Aviary, is a Splunk-based dashboard that can be used to visualize and analyze data outputs from the Sparrow tool to identify post-compromise threat activity in Azure, Microsoft 365, and Office 365 accounts.

The Aviary dashboard helps network defenders analyze PowerShell logs and analyze mailbox sign-ins to determine if the activity is legitimate. Through the dashboard, PowerShell usage by employees can also be examined along with Azure AD domains to determine if they have been modified.

CISA is encouraging network defenders to review the previously released AA21-008A alert on detecting post compromise activity in Microsoft Cloud environments, which has now been updated to include instructions on using the Aviary dashboard. The Aviary dashboard is available for download on CISA’s Sparrow GitHub pages.

In order to use the Aviary dashboard, users must ingest Sparrow logs, import Aviary .xml code into the dashboard, point Aviary to Sparrow data using the index and host selection, and review the output.

In addition to these tools, CISA released the Python-based CHIRP IOC detection tool in March, which can be used to identify signs of malicious activity linked to the SolarWinds cyberattack on Windows operating systems within an on-premises environment. The tool examines Windows events logs and the Windows registry for evidence of intrusions, and can be used to query Windows artifacts and apply YARA rules to detect malware, backdoors, and implanted malicious code.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On