{ "id": "66ceed72-3b45-432b-96ff-f42aacf164f6", "created_at": "2026-04-06T00:09:18.722016Z", "updated_at": "2026-04-10T13:11:30.067745Z", "deleted_at": null, "sha1_hash": "2291fd21c9f42d1633d2c2e4f877add3a2181682", "title": "Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 148594, "plain_text": "Detecting Post-Compromise Threat Activity in Microsoft Cloud\r\nEnvironments | CISA\r\nPublished: 2021-04-15 · Archived: 2026-04-05 23:42:15 UTC\r\nSummary\r\nThis Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) framework. See the\r\nATT\u0026CK for Enterprise for all referenced threat actor tactics and techniques.\r\nUpdated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).\r\nAdditional information may be found in a statement from the White House. For more information on SolarWinds-related\r\nactivity, go to https://us-cert.cisa.gov/remediating-apt-compromised-networks and https://www.cisa.gov/supply-chain-compromise.\r\nThis Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical\r\nInfrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT)\r\nactor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies,\r\ncritical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and\r\nInfrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds\r\nOrion products.\r\nThis Alert also addresses activity—irrespective of the initial access vector leveraged—that CISA attributes to an APT actor.\r\nSpecifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure\r\nenvironment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface\r\n(API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs)\r\nfeature three key components:\r\nCompromising or bypassing federated identity solutions;\r\nUsing forged authentication tokens to move laterally to Microsoft cloud environments; and\r\nUsing privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for\r\nApplication Programming Interface (API)-based access.\r\nThis Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools—including a\r\nCISA-developed tool, Sparrow—for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365\r\n(O365), and M365 environments to detect potentially malicious activity.\r\nNote: this Alert describes artifacts—presented by these attacks—from which CISA has identified detectable evidence of the\r\nthreat actor’s initial objectives. CISA continues to analyze the threat actor’s follow-on objectives.\r\nTechnical Details\r\nFrequently, CISA has observed the APT actor gaining Initial Access [TA0001 ] to victims’ enterprise networks via\r\ncompromised SolarWinds Orion products (e.g., Solorigate, Sunburst).[1] However, CISA is investigating instances in\r\nwhich the threat actor may have obtained initial access by Password Guessing [T1110.001 ], Password Spraying\r\n[T1110.003 ], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials\r\n[T1552 ]) instead of utilizing the compromised SolarWinds Orion products.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nPage 1 of 10\n\nCISA observed this threat actor moving from user context to administrator rights for Privilege Escalation [TA0004 ]\r\nwithin a compromised network and using native Windows tools and techniques, such as Windows Management\r\nInstrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing\r\ncapability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers\r\n—without having those claims checked against the identity provider—and then to move laterally to Microsoft Cloud\r\nenvironments (Lateral Movement [TA0008 ]).\r\nThe threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication.\r\nThis activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move\r\nlaterally (Lateral Movement [TA0008 ]) through trust boundaries, evade defenses and detection (Defense Evasion [TA0005\r\n]), and steal sensitive data (Collection [TA0009 ]).\r\nThis level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain\r\nadministrative control before recovering.\r\nMitigations\r\nDetection\r\nGuidance on identifying affected SolarWinds software is well documented.[2] However—once an organization identifies a\r\ncompromise via SolarWinds Orion products or other threat actor TTPs—identifying follow-on activity for on-premises\r\nnetworks requires fine-tuned network and host-based forensics.\r\nThe nature of cloud forensics is unique due to the growing and rapidly evolving technology footprints of major vendors.\r\nMicrosoft's O365 and M365 environments have built-in capabilities for detecting unusual activity. Microsoft also provides\r\npremium services (Advanced Threat Protection [ATP] and Azure Sentinel), which enable network defenders to investigate\r\nTTPs specific to the Solorigate activity.[3]\r\nDetection Tools\r\nCISA is providing examples of detection tools for informational purposes only. CISA does not endorse any commercial\r\nproduct or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services\r\ndoes not constitute or imply their endorsement, recommendation, or favoring by CISA.\r\nThere are a number of open-source tools available to investigate adversary activity in Microsoft cloud environments and to\r\ndetect unusual activity, service principals, and application activity.[4] Publicly available PowerShell tools that network\r\ndefenders can use to investigate M365 and Microsoft Azure include:\r\nCISA's Sparrow,\r\nOpen-source utility Hawk, and\r\nCrowdStrike's Azure Reporting Tool (CRT).\r\nAdditionally, Microsoft's Office 365 Management API and Graph API provide an open interface for ingesting telemetry and\r\nevaluating service configurations for signs of anomalous activity and intrusion.\r\nNote: these open-source tools are highlighted and explained to assist with on-site investigation and remediation in cloud\r\nenvironments but are not all-encompassing. Open source tools can be complemented by services such as Azure Sentinel, a\r\nMicrosoft premium service that provides comprehensive analysis tools, including custom detections for the activity\r\nindicated.\r\nGeneral Guidance on Using Detection Tools\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nPage 2 of 10\n\n1. Audit the creation and use of service principal credentials. Look for unusual application usage, such as use of\r\ndormant applications.\r\n2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for\r\nunexpected trust relationships added to the Azure Active Directory.\r\n3. Download the interactive sign-ins from the Azure admin portal or use the Microsoft Sentinel product. Review new\r\ntoken validation time periods with high values and investigate whether it was a legitimate change or an attempt to\r\ngain persistence by a threat actor.\r\nSparrow\r\nCISA created Sparrow to help network defenders detect possible compromised accounts and applications in the\r\nAzure/M365 environment. The tool focuses on the narrow scope of user and application activity endemic to identity- and\r\nauthentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data. It\r\nis intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on\r\nfederated identity sources and applications.\r\n(Updated April 8, 2021): CISA has also created \"Aviary,\" which is a companion Splunk dashboard that can assist in\r\nvisualizing and reviewing the output of Sparrow. Network defenders can find Aviary on CISA's Sparrow GitHub page\r\n. CISA advises network defenders to perform the following actions to use Sparrow:\r\n1. Use Sparrow to detect any recent domain authentication or federation modifications.\r\na. Domain and federation modification operations are uncommon and should be investigated.\r\n2. Examine logs for new and modified credentials applied to applications and service principals; delineate for the\r\ncredential type. Sparrow can be used to detect the modification of service principals and application credentials.\r\na. Create a timeline for all credential changes, focusing on recent wholesale changes.\r\nb. Review the “top actors” for activity in the environment and the number of credential modifications performed.\r\nc. Monitor changes in application and service principal credentials.\r\nd. Investigate any instances of excessive permissions being granted, including, but not limited to, Exchange\r\nOnline, Microsoft Graph, and Azure AD Graph.\r\n3. Use Sparrow to detect privilege escalation, such as adding a service principal, user, or group to a privileged role.\r\n4. Use Sparrow to detect OAuth consent and users’ consent to applications, which is useful for interpreting changes in\r\nadversary TTPs.\r\n5. Use Sparrow to identify anomalous Security Assertion Markup Language (SAML) token sign-ins by pivoting on the\r\nunified audit log UserAuthenticationValue of 16457, which is an indicator of how a SAML token was built and is a\r\npotential indicator for forged SAML tokens.\r\na. Note that this TTP has not been the subject of significant published security research but may indicate an\r\nunusual usage of a token, such as guest access for external partners to M365 resources.\r\n6. Review the PowerShell logs that Sparrow exports.\r\na. Review PowerShell mailbox sign-ins and validate that the logins are legitimate actions.\r\nb. Review PowerShell usage for users with PowerShell in the environment.\r\n7. Use Sparrow to check the Graph API application permissions of all service principals and applications in\r\nM365/Azure AD.\r\na. Investigate unusual activity regarding Microsoft Graph API permissions (using either the legacy\r\nhttps://graph.windows.net/ or https://graph.microsoft.com ). Graph is used frequently as part of these TTPs,\r\noften to access and manipulate mailbox resources.\r\n8. Review Sparrow’s listed tenant’s Azure AD domains, to see if the domains have been modified.\r\n9. For customers with G5 or E5 licensing levels, review MailItemsAccessed for insight into what application\r\nidentification (ID) was used for accessing users’ mailboxes. Use Sparrow to query for a specific application ID using\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nPage 3 of 10\n\nthe app id investigation capability, which will check to see if it is accessing mail or file items.\r\na. The MailItemsAccessed event provides audibility for mailbox data accessed via mail protocols or clients.\r\nb. By analyzing the MailItemsAccessed action, incident responders can determine which user mailbox items\r\nhave been accessed and potentially exfiltrated by a threat actor. This event will be recorded even in some\r\nsituations where the message was not necessarily read interactively (e.g., bind or sync).[5]\r\nc. The resulting suspicious application ID can provide incident responders with a pivot to detect other suspicious\r\napplications that require additional analysis.\r\nd. Check for changes to applications with regards to the accessing of resources such as mail or file items.\r\n(Updated April 8, 2021): Aviary can be used to assist with performing the above tasks. To install Aviary, after running\r\nSparrow:\r\n1. Ingest comma separated values (CSV) output from the Sparrow PowerShell script into Splunk.\r\na. Sparrow output will have the following default filenames, which should not be modified:\r\nAppUpdate_Operations_Export.csv , AppRoleAssignment_Operations_Export.csv ,\r\nConsent_Operations_Export.csv , Domain_List.csv , Domain_Operations_Export.csv ,\r\nFileItems_Operations_Export.csv , MailItems_Operations_Export.csv ,\r\nPSLogin_Operations_Export.csv , PSMailbox_Operations_Export.csv ,\r\nSAMLToken_Operations_Export.csv , ServicePrincipal_Operations_Export.csv\r\n2. Copy and paste the contents of the .xml file (aviary.xml in the root directory) into a new dashboard.\r\n3. Use the data selection filters to point to the indexed Sparrow data (see figure 1)\r\n                                                                                                                    Figure 1: Data Selection Filters\r\nHawk\r\nHawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily\r\ngather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate\r\nspecific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can\r\ntrack IP usage for concurrent login situations.\r\nHawk users should review login details for administrator accounts and take the following steps.\r\nCrowdStrike Azure Reporting Tool\r\nCrowdStrike's Azure Reporting Tool (CRT) can help network defenders analyze their Microsoft Azure AD and M365\r\nenvironment to help organizations analyze permissions in their Azure AD tenant and service configuration. This tool has\r\nminor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool\r\nbecause it is one of the only free, open-source tools available to investigate this activity and could be used to complement\r\nSparrow.\r\nDetection Tool Distinctions\r\nDetection Methods\r\nMicrosoft breaks the threat actor’s recent activity into four primary stages, which are described below along with associated\r\ndetection methods. Microsoft describes these stages as beginning with all activity after the compromise of the on-premises\r\nidentity solution, such as ADFS.[6]\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nPage 4 of 10\n\nNote: this step provides an entry vector to cloud technology environments, and is unnecessary when the threat actor has\r\ncompromised an identity solution or credential that allows the APT direct access to the cloud(e.g., without leveraging the\r\nSolarWinds Orion vulnerability).\r\nStage 1: Forging a trusted authentication token used to access resources that trust the on-premises identity provider\r\nThese attacks (often referred to as “Golden Security Assertion Markup Language” attacks) can be analyzed using a\r\ncombination of cloud-based and standard on-premises techniques.[7] For example, network defenders can use OAuth\r\nclaims for specific principals made at the Azure AD level and compare them to the on-premises identity.\r\nExport sign-in logs from the Azure AD portal and look at the Authentication Method field.\r\nNote: at portal.azure.com, click on a user and review the authentication details (e.g., date, method, result). Without Sentinel,\r\nthis is the only way to get these logs, which are critical for this effort.\r\nDetection Method 1: Correlating service provider login events with corresponding authentication events in Active\r\nDirectory Federation Services (ADFS) and Domain Controllers\r\nUsing SAML single sign-on, search for any logins to service providers that do not have corresponding event IDs 4769,\r\n1200, and 1202 in the domain.\r\nDetection Method 2: Identifying certificate export events in ADFS\r\nLook for:\r\nDetection Method 3: Customizing SAML response to identify irregular access\r\nThis method serves as prevention for the future (and would only detect future, not past, activity), as it helps identify\r\nirregularities from the point of the change forward. Organizations can modify SAML responses to include custom elements\r\nfor each service provider to monitor and detect any anomalous requests.[8]\r\nDetection Method 4: Detecting malicious ADFS trust modification\r\nA threat actor who gains administrative access to ADFS can add a new, trusted ADFS rather than extracting the certificate\r\nand private key as part of a standard Golden SAML attack.[9]\r\nNetwork defenders should look for:\r\nStage 2: Using the forged authentication token to create configuration changes in the Service Provider, such as Azure\r\nAD (establishing a foothold)\r\nAfter the threat actor has compromised the on-premises identity provider, they identify their next series of objectives by\r\nreviewing activity in the Microsoft Cloud activity space (Microsoft Azure and M365 tenants).\r\nThe threat actor uses the ability to forge authentication tokens to establish a presence in the cloud environment. The actor\r\nadds additional credentials to an existing service principal. Once the threat actor has impersonated a privileged Azure AD\r\naccount, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).\r\nNetwork defenders should take the following steps.\r\nStage 3: Acquiring an OAuth access token for the application using the forged credentials added to an existing\r\napplication or service principal and calling APIs with the permissions assigned to that application\r\nIn some cases, the threat actor has been observed adding permissions to existing applications or service principals.\r\nAdditionally the actor has been seen establishing new applications or service principals briefly and using them to add\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nPage 5 of 10\n\npermissions to the existing applications or service principals, possibly to add a layer of indirection (e.g., using it to add a\r\ncredential to another service principal, and then deleting it).[11]\r\nNetwork defenders should use Sparrow to:\r\nStage 4: Once access has been established, the threat actor Uses Microsoft Graph API to conduct action on objectives\r\nfrom an external RESTful API (queries impersonating existing applications).\r\nNetwork defenders should:\r\nMicrosoft Telemetry Nuances\r\nThe existing tools and techniques used to evaluate cloud-based telemetry sources present challenges not represented in\r\ntraditional forensic techniques. Primarily, the amount of telemetry retention is far less than the traditional logging facilities\r\nof on-premises data sources. Threat actor activity that is more than 90 days old is unlikely to have been saved by traditional\r\nsources or be visible with the Microsoft M365 Management API or in the UAL.\r\nService principal logging is available using the Azure Portal via the \"Service Principal Sign-ins\" feature. Enable settings in\r\nthe Azure Portal (see “Diagnostic Setting”) to ingest logs into Sentinel or a third-party security information and event\r\nmanagement (SIEM) tool. An Azure Premium P1 or Premium P2 license is necessary to access this setting as well as other\r\nfeatures, such as a log analytics workspace, storage account, or event hub.[12] These logs must be downloaded manually\r\nif not ingested by one of the methods listed in the Detection Methods section.\r\nGlobal Administrator rights are often required by tools other than Hawk and Sparrow to evaluate M365 cloud security\r\nposture. Logging capability and visibility of data varies by licensing models and subscription to premium services, such as\r\nMicrosoft Defender for O365 and Azure Sentinel. According to CrowdStrike, \"There was an inability to audit via API, and\r\nthere is the requirement for global admin rights to view important information which we found to be excessive. Key\r\ninformation should be easily accessible.\"[13]\r\nDocumentation for specific event codes, such as UserAuthenticationMethod 16457, which may indicate a suspicious SAML\r\ntoken forgery, is no longer available in the M365 Unified Access Log. Auditing narratives on some events no longer exist as\r\npart of core Microsoft documentation sources.\r\nThe use of industry-standard SIEMs for log detection is crucial for providing historical context for threat hunting in\r\nMicrosoft cloud environments. Standard G3/E3 licenses only provide 90 days of auditing; with the advanced auditing\r\nlicense that is provided with a G5/E5 license, audit logs can be extended to retain information for a year. CISA notes that\r\nthis license change is proactive, rather than reactive: it allows enhanced visibility and features for telemetry from the\r\nmoment of integration but does not provide retroactive visibility on previous events or historical context.\r\nA properly configured SIEM can provide:\r\nBuilt-in tools, such as Microsoft Cloud Services and M365 applications, provide much of the same visibility available from\r\ncustom tools and are mapped to the MITRE ATT\u0026CK framework and easy-to-understand dashboards.[14] However,\r\nthese tools often do not have the ability to pull historical data older than seven days. Therefore, storage solutions that\r\nappropriately meet governance standards and usability metrics for analysts for the SIEM must be carefully planned and\r\narranged.\r\n1. Ingest comma separated values (CSV) output from the Sparrow PowerShell script into Splunk.\r\na. Sparrow output will have the following default filenames, which should not be modified:\r\nAppUpdate_Operations_Export.csv , AppRoleAssignment_Operations_Export.csv ,\r\nConsent_Operations_Export.csv , Domain_List.csv , Domain_Operations_Export.csv ,\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nPage 6 of 10\n\nFileItems_Operations_Export.csv , MailItems_Operations_Export.csv ,\r\nPSLogin_Operations_Export.csv , PSMailbox_Operations_Export.csv ,\r\nSAMLToken_Operations_Export.csv , ServicePrincipal_Operations_Export.csv\r\n2. Copy and paste the contents of the .xml file (aviary.xml in the root directory) into a new dashboard.\r\n3. Use the data selection filters to point to the indexed Sparrow data (see figure 1)\r\n4.  \r\n1. Investigate high-value administrative accounts to detect anomalous or unusual activity (Global Admins).\r\n2. Enable PowerShell logging, and evaluate PowerShell activity in the environment not used for traditional or\r\nexpected purposes.\r\na. PowerShell logging does not reveal the exact cmdlet that was run on the tenant.\r\n3. Look for users with unusual sign-in locations, dates, and times.\r\n4. Check permissions of service principals and applications in M365/Azure AD.\r\n5. Detect the frequency of resource access from unusual places. Use the tool to pivot to a trusted application and\r\nsee if it is accessing mail or file items.\r\n6. Review mailbox rules and recent mailbox rule changes.\r\nSparrow differs from CRT by looking for specific indicators of compromise associated with the recent attacks.\r\nCRT focuses on the tenant’s Azure AD permissions and Exchange Online configuration settings instead of the\r\nunified audit log, which gives it a different output from Sparrow or Hawk.\r\nCRT returns the same broad scope of application/delegated permissions for service principals and applications\r\nas Hawk.\r\nAs part of its investigation, Sparrow homes in on a narrow set of application permissions given to the Graph\r\nAPI, which is common to the recent attacks.\r\nCRT looks at Exchange Online federation configuration and federation trust, while Sparrow focuses on listing\r\nAzure AD domains.\r\nAmong the items network defenders can use CRT to review are delegated permissions and application\r\npermissions, federation configurations, federation trusts, mail forwarding rules, service principals, and objects\r\nwith KeyCredentials.\r\n1. The IP address and Activity_ID in EventCode 410 and the Activity_ID and Instance_ID in EventCode 500.\r\n2. Export-PfxCertificate or certutil-exportPFX in Event IDs 4103 and 4104, which may include detection of a\r\ncertificate extraction technique.\r\n3. Deleted certificate extraction with ADFSdump performed using Sysmon Event ID 18 with the pipe name\r\n\\microsoft##wid\\tsql\\query (exclude processes regularly making this pipe connection on the machine).\r\n4. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event\r\nID 510 with the same instance ID for change details (Event ID 510 with the same Instance ID could be more\r\nthan one event per single Event ID 307 event).\r\n5. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event\r\nID 510 with the same Instance ID for change details. (Event ID 510 with the same Instance ID could be more\r\nthan one event per single Event ID 307 event.)\r\n1. Review events, particularly searching for Configuration: Type: IssuanceAuthority where Property\r\nValue references an unfamiliar domain.\r\n6. Possible activity of an interrogating ADFS host by using ADFS PowerShell plugins. Look for changes in the\r\nfederation trust environment that would indicate new ADFS sources.\r\n7. Audit the creation and use of service principal and application credentials. Sparrow will detect modifications\r\nto these credentials.\r\na. Look for unusual application usage, such as dormant or forgotten applications being used again.\r\nb. Audit the assignment of credentials to applications that allow non-interactive sign-in by the\r\napplication.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nPage 7 of 10\n\n8. Look for unexpected trust relationships that have been added to Azure AD. (Download the last 30 days of\r\nnon-interactive sign-ins from the Azure portal or use Azure Sentinel.).[10]\r\n9. Use Hawk (and any sub-modules available) to run an investigation on a specific user. Hawk will provide IP\r\naddresses, sign-in data, and other data. Hawk can also track IP usage in concurrent login situations.\r\n10. Review login details for administrator accounts (e.g., high-value administrative accounts, such as Global\r\nAdmins). Look for unusual sign-in locations, dates, and times.\r\n11. Review new token validation time periods with high values and investigate whether the changes are legitimate\r\nor a threat actor’s attempts to gain persistence.\r\n12. Examine highly privileged accounts; specifically using sign-in logs, look for unusual sign-in locations, dates,\r\nand times.\r\n13. Create a timeline for all credential changes.\r\n14. Monitor changes in application credentials (the script will export into csv named\r\nAppUpdate_Operations_Export).\r\n15. Detect service principal credentials change and service principal change (e.g., if an actor adds new\r\npermissions or expands existing permissions).\r\na. Export and view this activity via the ServicePrincipal_Operations_Export.\r\n16. Record OAuth consent and consent to applications\r\na. Export and view this record via the Consent_Operations_Export file.\r\n17. Investigate instances of excessive high permissions, including, but not limited to Exchange Online, Microsoft\r\nGraph, and Azure AD Graph.\r\na. Review Microsoft Graph API permissions granted to service principals.\r\nb. Export and view this activity via the ApplicationGraphPermissions csv file.\r\ni. Note: Hawk can also return the full list of service principal permissions for further\r\ninvestigation.\r\nc. Review top actors and the amount of credential modifications performed.\r\nd. Monitor changes in application credentials.\r\n18. Identify manipulation of custom or third-party applications.\r\na. Network defenders should review the catalog of custom or third-party vendors with applications in the\r\nMicrosoft tenant and perform the above interrogation principles on those applications and trusts.\r\n19. Review modifications to federation trust settings.\r\na. Review new token validation time periods with high values and investigate whether this was a\r\nlegitimate change or an attempt to gain persistence by the threat actor.\r\ni. The script detects the escalation of privileges, including the addition of Service Principals (SP)\r\nto privileged roles. Export this data into csv called AppRoleAssignment_Operations_Export.\r\n20. In MailItemsAccessed operations, found within the Unified Audit Log (UAL), review the application ID used\r\n(requires G5 or E5 license for this specific detail).\r\n21. Query the specific application ID, using the Sparrow script’s app ID investigation capability to interrogate\r\nmail and file items accessed for that applicationID (Use the application ID utility for any other suspicious\r\napps that require additional analysis.).\r\n22. Check the permissions of an application in M365/Azure AD using Sparrow.\r\na. Hawk will return Azure_Application_Audit, and Sparrow will return ApplicationGraphPermissions.\r\nb. Network defenders will see the IP address that Graph API uses.\r\nc. Note: the Microsoft IP address may not show up as a virtual private server/anonymized endpoint.\r\n23. Investigate a specific service principal, if it is a user-specific user account, in Hawk. This activity is\r\nchallenging to see without Azure Sentinel or manually downloading and reviewing logs from the sign-in\r\nportal.\r\n24. Longer term storage of log data.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nPage 8 of 10\n\n25. Cross correlation of log data with endpoint data and network data (such as those produced by ADFS servers),\r\nendpoint detection and response data, and identity provider information.\r\n26. Ability to query use of application connectors in Azure.\r\nContact Information\r\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat.\r\nFor any questions related to this report, please contact CISA at\r\n1-844-Say-CISA (From outside the United States: +1-703-235-8832)\r\ncentral@cisa.dhs.gov (UNCLASS)\r\nus-cert@dhs.sgov.gov (SIPRNET)\r\nus-cert@dhs.ic.gov (JWICS)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at\r\nhttp://www.us-cert.cisa.gov/.\r\nResources\r\nAzure Active Directory Workbook to Assess Solorigate Risk: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718\r\nVolexity - Dark Halo Leverages SolarWinds Compromise to Breach Organizations:\r\nhttps://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\r\nHow to Find Activity with Sentinel: https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/\r\nThird-Party Walkthrough of the Attack: https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/\r\nNational Security Agency Advisory on Detecting Abuse of Authentication Mechanisms:\r\nhttps://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PD\r\nMicrosoft 365 App for Splunk: https://splunkbase.splunk.com/app/3786/\r\nCISA Remediation Guidance: https://us-cert.cisa.gov/ncas/alerts/aa20-352a\r\nReferences\r\n[1] ZDNet: A Second Hacking Group has Targeted SolarWinds Systems\r\n[3] Microsoft SolarWinds Post-Compromise Hunting with Azure Sentinel\r\n[4] Microsoft Solorigate Resource Center\r\n[5] Advanced Audit in Microsoft 365\r\n[6] Microsoft: Understanding “Solorigate’s” Identity IOCs\r\n[7] Detection and Hunting of Golden SAML Attack:\r\n[8] Ibid\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nPage 9 of 10\n\n[9] Ibid\r\n[10] Microsoft: AADServicePrincipalSignInLogs\r\n[11] Microsoft: Understanding “Solorigate’s” Identity IOCs\r\n[12] Azure Active Directory Sign-in Activity Reports\r\n[13] CrowdStrike: CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory\r\n[14] Microsoft 365 App for Splunk\r\nRevisions\r\nInitial version: January 8, 2021|February 4, 2021: Removed link and section for outdated product feedback form|April 8,\r\n2021: Added Aviary Dashboard information|April 15, 2021: Added Attribution Statement\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa21-008a" ], "report_names": [ "aa21-008a" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434158, "ts_updated_at": 1775826690, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2291fd21c9f42d1633d2c2e4f877add3a2181682.pdf", "text": "https://archive.orkl.eu/2291fd21c9f42d1633d2c2e4f877add3a2181682.txt", "img": "https://archive.orkl.eu/2291fd21c9f42d1633d2c2e4f877add3a2181682.jpg" } }