Forum Discussion

TomWechsler's avatar
Nov 12, 2023

Microsoft Entra ID: Advanced Threat Hunting - AzureADRecon and Microsoft Sentinel

 

Dear Microsoft Entra ID Friends:

 

This article is about collecting information with the AzureADRecon tool. We use this information to investigate a hypothesis and start the hunt with the help of Microsoft Sentinel.

 

I always start with a list of MITRE ATT&CK techniques.

 

 

Execution:

Command and Scripting Interpreter

 

Credential Access:

Brute Force

 

Discovery:

Permission Groups Discovery
 

We start by collecting the information with the AzureADRecon tool.

Note: The AzureADRecon tool is provided by Prashant Mahajan (@prashant3535), thanks for that! 
 
Installing:
Download the tool, the easiest way is to save the .zip file right away.
Note: Attention: It is possible that the antimalware program reacts during the download!!

 

If you have git installed, you can start by cloning the repository:
 
If you downloaded the tool using a zip file, extract the zip file and place it in a location that you can easily find again. If you cloned the repository, a folder was created directly. Now launch PowerShell or Windows Terminal, whichever you prefer, and navigate to the extract/clone folder.

 

In order to get started we need one more prerequisite, in my case the PowerShell AzureAD module. However, you are welcome to work with the Microsoft Graph, but this requires additional preparations afterwards.

 

Install the AzureAD Module:

Install-Module AzureAD -Verbose -Force -Allowclobber

 

Don't forget we need to adjust the execution policy in PowerShell!
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

 

Note: In order to work with this tool, you need to work with an account that has sufficient rights in Entra ID.

 

To run AzureADRecon (will prompt for credentials):
PS C:\AzureADRecon-master> .\AzureADRecon.ps1
 
However, you can also work with variables first. 
 
PS C:\AzureADRecon-master> $username = "your user principal name"
PS C:\AzureADRecon-master> $passwd = ConvertTo-SecureString "your password" -AsPlainText -Force
PS C:\AzureADRecon-master> $creds = New-Object System.Management.Automation.PSCredential ($username, $passwd)
PS C:\AzureADRecon-master> .\AzureADRecon.ps1 -Credential $creds

 

Note: To get the report as a spreadsheet, Excel must be installed on the system.

 

The report is created in the same folder:

 

Now open the report and start the investigation and analysis!

 

User Stats:

 

Users:

 

Directory Roles:

 

Directory Roles Members:

 

Devices:

 

Advanced Hunting with Microsoft Sentinel!

 

Now we have detailed information from the Microsoft client. The information was not collected just like that, but because there was a suspicion. Now we continue with advanced hunting in Microsoft Sentinel.
In Microsoft Sentinel, we can directly access the incidents from the overview.

 
List of incidents:

 

View full incident details:

 

Now the deep dive into the incident:

 

Investigate each incident:

 

HAPPY INVESTIGATING!

 

I am of course fully aware that this is not a complete and conclusive investigation. My aim in this article was to "give"/describe a good starting point. Thank you for taking the time to read the article.

 

Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler

No RepliesBe the first to reply

Resources