T0pCyber / Hawk

Hawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations.

Hawk users can review login details for administrator accounts and take the following steps.

1. Investigate high-value administrative accounts to detect anomalous.
2. Enable PowerShell logging.
3. Look for users with unusual sign-in locations, dates, and times.
4. Check permissions of service principals and applications in M365/Azure AD.
5. Detect the frequency of resource access from unusual places.
6. Review mailbox rules and recent mailbox rule changes.
   

Links:

• https://github.com/T0pCyber/hawk 
• https://myseq.blogspot.com/2021/03/crowdstrike-crt.html
• https://myseq.blogspot.com/2021/03/cisagov-sparrow.html
• Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
• Detecting Abuse of Authentication Mechanisms 
  

CrowdStrike / CRT

CrowdStrike's Azure Reporting Tool can help analyzing Microsoft Azure AD and M365 environment in their Azure AD tenant and service configuration. 

This tool has minor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool because it is one of the only free, open-source tools available to investigate this activity and could be used to complement Sparrow.

Links:

• https://github.com/CrowdStrike/CRT
  

cisagov / Sparrow

Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.

The tool is intended for use by incident responders, and focuses on the narrow scope of user and application activity endemic to identity and authentication based attacks seen recently in multiple sectors.

Sparrow.ps1 will check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/M365 for certain indicators of compromise (IoC's), list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files that are located in the user's default home directory in a folder called 'ExportDir' (ie: Desktop/ExportDir).

Links:

• https://github.com/cisagov/Sparrow
  

3 Tools for ProxyLogon (Exchange 0day vuln)

On March 2nd, Microsoft disclosed that four Exchange Server zero-day vulnerabilities were being used in attacks against exposed OWA servers. These vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.

These vulnerabilities, aka 'ProxyLogon', are being used to steal mailboxes, harvest credentials, and deploy web shells to access the internal network.

And thus, Microsoft thas released a tool called Microsoft Safety Scanner, also known as the Microsoft Support Emergency Response Tool (MSERT), is a standalone portable antimalware tool that includes Microsoft Defender signatures to scan for and remove detected malware.

MSERT is an on-demand scanner and good to be used for spot scans.

Microsoft Safety Scanner

• https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

If you would like to scan for web shells without removing them, you can use a new PowerShell script named detect_webshells.ps1 created by CERT Latvia.

• https://github.com/cert-lv/exchange_webshell_detection

Microsoft also released a PowerShell script called Test-ProxyLogon.ps1 that can be used to search for indicators of compromise (IOC) related to these attacks in Exchange and OWA log files.

• https://github.com/microsoft/CSS-Exchange/tree/main/Security
  

CVE-2017-8461 - RRAS

This is a vulnerability released in June 2017, with CVSS 7.0 (High) for RRAS. The vulnerability is also known as “Windows RPC Remote Code Execution Vulnerability.”

With this vulnerability, Windows RPC with Routing and Remote Access (enabled in Windows XP and Windows Server 2003) allows an attacker to execute code on a targeted RPC server which has Routing and Remote Access enabled.

Recently, a new metasploit module is released. This module exploits an overflow in the Windows Routing and Remote Access Service (RRAS) to execute code as SYSTEM.

The RRAS DCERPC endpoint is accessible by unauthenticated users via SMBv1 browser named pipe on Windows Server 2003 and Windows XP hosts. (However, this module targets Windows Server 2003 only)

Since the service is hosted inside svchost.exe, a failed exploit
attempt can cause other system services to fail as well.

The module has been successfully tested on:

• Windows Server 2003 SP0 (x86)
• Windows Server 2003 SP1 (x86)
• Windows Server 2003 SP2 (x86)
• Windows Server 2003 R2 SP2 (x86)

Links:

• https://attackerkb.com/topics/cH3SJNSMsg/cve-2017-8461 
• http://packetstormsecurity.com/files/161672/Microsoft-Windows-RRAS-Service-MIBEntryGet-Overflow.html