FireEye has launched a free tool on GitHub named Azure AD Investigator which is an auditing script for determining the SolarWinds Hackers (also known as UNC2452) used any of these techniques inside their networks.
Mandiant Azure AD Investigator is now available in Github.
The SolarWinds hack came to light on December 13, 2020, When FireEye and Microsoft confirmed that a threat actor broke into the network of IT software provider SolarWinds and poisoned updates for the Orion app with malware.
The malware, known as Sunburst (or Solorigate), was used to gather info on infected companies. Most of the 18,000 SolarWinds customers who installed a trojanized version of the Orion app were ignored, but for some selected targets, the hackers deployed a second strain of malware known as Teardrop and then used several techniques to escalate access inside the local network and to the company’s cloud resources, with a special focus on breaching Microsoft 365 infrastructure.
Mandiant has observed UNC2452 and other threat actors moving laterally to the Microsoft 365 cloud using a combination of four primary techniques:
- Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
- Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
- Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
- Backdoor an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.
Important Features of Mandiant-Azure-AD-Investigator:
● Signing Certificate Unusual Validity Period:
Every domain has a Digital signing certificate with the validity of > 1 year. Any software or applications that have code signed by the certificate are no longer trusted by Microsoft SmartScreen, Google Safe Browsing, and antivirus programs.
Validity periods that are longer than one year could be an indication that a threat actor has tampered with the domain federation settings.
● Signing Certificate Mismatch:
Phishers are trying to pass a malicious website to a legitimate site. It occurs if the domain name in the SSL certificate doesn’t match the address in the address bar of the browser.
It’s always recommended to verify if the subject and issuer names are expected and if not consider performing a forensic investigation to determine how the changes were made and to identify any other evidence of compromise.
● Azure AD Backdoor (any.sts):
Hackers may leverage a backdoor to access existing Microsoft 365 applications and add a new app or service principal credential, So they can use legitimate permissions assigned to an app.
Therefore every federated domain is configured with any.sts as the Issuer URI. It’s another important feature of Mandiant Azure AD Investigator.
● Federated Domains:
Federation is a collection of trusted domains. Typically it includes authentication, an authorization will make sure that the accounts in the on-premises Active Directory are trusted for use with the accounts in Azure AD with Single Sign-On.
● Unverified Domains:
Domain Verification is an essential step to ensure that the domain is a valid domain or not? By using this tool it will list out the domains which are unverified for a long period in Azure AD.
Azure AD Investigator repository also contains a PowerShell module for detecting artifacts that may be “high-fidelity” indicators of compromise, or “dual-use” artifacts associated with the SolarWinds Orion attacks and other malicious activities. This module doesn’t identify a compromise 100% of the time, So it’s recommended to perform additional analysis and verification of IOCs identified by the script to determine if they are related to legitimate admin activity or threat actors.