Pierluigi Paganini April 09, 2021

CISA released a Splunk-based dashboard for post-compromise activity in Microsoft Azure Active Directory (AD), Office 365, and MS 365 environments.

The Cybersecurity and Infrastructure Security Agency (CISA) has released a Splunk-based dashboard, dubbed Aviary, that could be used by administrators in the post-compromise analysis of Microsoft Azure Active Directory (AD), Office 365 (O365), and Microsoft 365 (M365) environments.

“Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection toool released in December 2020.” reads the description for the tool published by CISA.

According to CISA, the Aviary could be used by IT security staff of organizations to visualize and analyze data produced by the Sparrow an open-source PowerShell-based tool that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.

Sparrow checks and installs the required PowerShell modules on the machine to analyze, then checks the unified audit log in Azure/M365 for certain indicators of compromise (IoC’s), lists Azure AD domains, and checks Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool provides in outputs the data into multiple CSV files that are located in the user’s default home directory in a folder called ‘ExportDir’ (ie: Desktop/ExportDir).

“Aviary—a Splunk-based dashboard—facilitates analysis of Sparrow data outputs.” reads the post published by CISA. “CISA encourages network defenders wishing to use Aviary to facilitate their analysis of output from Sparrow to review CISA Alert: AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Note: CISA has updated the Sparrow tool section of AA21-008A with instructions on using the Aviary tool.”

Aviary is able to analyze the following sources from Sparrow include:

• AppUpdate_Operations_Export.csv
• AppRoleAssignment_Operations_Export.csv
• Consent_Operations_Export.csv
• Domain_List.csv
• Domain_Operations_Export.csv
• FileItems_Operations_Export.csv
• MailItems_Operations_Export.csv
• PSLogin_Operations_Export.csv
• PSMailbox_Operations_Export.csv
• SAMLToken_Operations_Export.csv
• ServicePrincipal_Operations_Export.csv

Below the step-by-step procedure to use Aviary:

• Ingest Sparrow logs (sourcetype=csv)
• Import Aviary .xml code into new Dashboard
• Point Aviary to Sparrow data using the index and host selection
• Review the output.

In March CISA released the CISA Hunt and Incident Response Program (CHIRP), a Python-based tool that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise Windows environments. The CHIRP tool allows to examine Windows event logs for artifacts associated with this activity, Windows Registry for evidence of intrusion, query Windows network artifacts, and apply YARA rules to detect malware, backdoors, or implants.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Aviary)

[adrotate banner=”5″]

[adrotate banner=”13″]