Forum Discussion
TomWechsler
Nov 12, 2023MVP
Microsoft Entra ID: Advanced Threat Hunting - AzureADRecon and Microsoft Sentinel
Dear Microsoft Entra ID Friends:
This article is about collecting information with the AzureADRecon tool. We use this information to investigate a hypothesis and start the hunt with the help of Microsoft Sentinel.
I always start with a list of MITRE ATT&CK techniques.
Initial Access:
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Phishing
Phishing: Spearphishing Link
Valid Accounts
Persistence:
Account Manipulation
Create Account
Office Application Startup
We start by collecting the information with the AzureADRecon tool.
Note: The AzureADRecon tool is provided by Prashant Mahajan (@prashant3535), thanks for that!
Installing:
Download the tool, the easiest way is to save the .zip file right away.
Note: Attention: It is possible that the antimalware program reacts during the download!!
If you have git installed, you can start by cloning the repository:
If you downloaded the tool using a zip file, extract the zip file and place it in a location that you can easily find again. If you cloned the repository, a folder was created directly. Now launch PowerShell or Windows Terminal, whichever you prefer, and navigate to the extract/clone folder.
In order to get started we need one more prerequisite, in my case the PowerShell AzureAD module. However, you are welcome to work with the Microsoft Graph, but this requires additional preparations afterwards.
Install the AzureAD Module:
Install-Module AzureAD -Verbose -Force -Allowclobber
Don't forget we need to adjust the execution policy in PowerShell!
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Note: In order to work with this tool, you need to work with an account that has sufficient rights in Entra ID.
To run AzureADRecon (will prompt for credentials):
PS C:\AzureADRecon-master> .\AzureADRecon.ps1
However, you can also work with variables first.
PS C:\AzureADRecon-master> $username = "your user principal name"
PS C:\AzureADRecon-master> $passwd = ConvertTo-SecureString "your password" -AsPlainText -Force
PS C:\AzureADRecon-master> $creds = New-Object System.Management.Automation.PSCredential ($username, $passwd)
PS C:\AzureADRecon-master> .\AzureADRecon.ps1 -Credential $creds
Note: To get the report as a spreadsheet, Excel must be installed on the system.
The report is created in the same folder:
Now open the report and start the investigation and analysis!
User Stats:
Users:
Directory Roles:
Directory Roles Members:
Devices:
Advanced Hunting with Microsoft Sentinel!
Now we have detailed information from the Microsoft client. The information was not collected just like that, but because there was a suspicion. Now we continue with advanced hunting in Microsoft Sentinel.
In Microsoft Sentinel, we can directly access the incidents from the overview.
List of incidents:
View full incident details:
Now the deep dive into the incident:
Investigate each incident:
HAPPY INVESTIGATING!
I am of course fully aware that this is not a complete and conclusive investigation. My aim in this article was to "give"/describe a good starting point. Thank you for taking the time to read the article.
Best regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler
No RepliesBe the first to reply