Dear Microsoft Entra ID Friends:
This article is about collecting information with the AzureADRecon tool. We use this information to investigate a hypothesis and start the hunt with the help of Microsoft Sentinel.
I always start with a list of MITRE ATT&CK techniques.
Initial Access:
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Phishing
Phishing: Spearphishing Link
Valid Accounts
Execution:
Command and Scripting Interpreter
Persistence:
Account Manipulation
Create Account
Office Application Startup
Credential Access:
Brute Force
Discovery:
Permission Groups Discovery
We start by collecting the information with the AzureADRecon tool.
Note: The AzureADRecon tool is provided by Prashant Mahajan (@prashant3535), thanks for that!
Installing:
Download the tool, the easiest way is to save the .zip file right away.
Note: Attention: It is possible that the antimalware program reacts during the download!!
If you have git installed, you can start by cloning the repository:
If you downloaded the tool using a zip file, extract the zip file and place it in a location that you can easily find again. If you cloned the repository, a folder was created directly. Now launch PowerShell or Windows Terminal, whichever you prefer, and navigate to the extract/clone folder.
In order to get started we need one more prerequisite, in my case the PowerShell AzureAD module. However, you are welcome to work with the Microsoft Graph, but this requires additional preparations afterwards.
Install the AzureAD Module:
Install-Module AzureAD -Verbose -Force -Allowclobber
Don't forget we need to adjust the execution policy in PowerShell!
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Note: In order to work with this tool, you need to work with an account that has sufficient rights in Entra ID.
To run AzureADRecon (will prompt for credentials):
PS C:\AzureADRecon-master> .\AzureADRecon.ps1
However, you can also work with variables first.
PS C:\AzureADRecon-master> $username = "your user principal name"
PS C:\AzureADRecon-master> $passwd = ConvertTo-SecureString "your password" -AsPlainText -Force
PS C:\AzureADRecon-master> $creds = New-Object System.Management.Automation.PSCredential ($username, $passwd)
PS C:\AzureADRecon-master> .\AzureADRecon.ps1 -Credential $creds
Note: To get the report as a spreadsheet, Excel must be installed on the system.
The report is created in the same folder:
Now open the report and start the investigation and analysis!
Advanced Hunting with Microsoft Sentinel!
Now we have detailed information from the Microsoft client. The information was not collected just like that, but because there was a suspicion. Now we continue with advanced hunting in Microsoft Sentinel.
In Microsoft Sentinel, we can directly access the incidents from the overview.
View full incident details:
Now the deep dive into the incident:
Investigate each incident:
I am of course fully aware that this is not a complete and conclusive investigation. My aim in this article was to "give"/describe a good starting point. Thank you for taking the time to read the article.
Best regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler