Microsoft Entra ID: Advanced Threat Hunting - AzureADRecon and Microsoft Sentinel

MVP

 

Dear Microsoft Entra ID Friends:

 

This article is about collecting information with the AzureADRecon tool. We use this information to investigate a hypothesis and start the hunt with the help of Microsoft Sentinel.

 

I always start with a list of MITRE ATT&CK techniques.

 

 

Execution:

Command and Scripting Interpreter

 

Credential Access:

Brute Force

 

Discovery:

Permission Groups Discovery
 

We start by collecting the information with the AzureADRecon tool.

Note: The AzureADRecon tool is provided by Prashant Mahajan (@prashant3535), thanks for that! 
 
Installing:
Download the tool, the easiest way is to save the .zip file right away.
aad_0.png
Note: Attention: It is possible that the antimalware program reacts during the download!!

 

If you have git installed, you can start by cloning the repository:
 
If you downloaded the tool using a zip file, extract the zip file and place it in a location that you can easily find again. If you cloned the repository, a folder was created directly. Now launch PowerShell or Windows Terminal, whichever you prefer, and navigate to the extract/clone folder.

wt_1.png

 

In order to get started we need one more prerequisite, in my case the PowerShell AzureAD module. However, you are welcome to work with the Microsoft Graph, but this requires additional preparations afterwards.

 

Install the AzureAD Module:

Install-Module AzureAD -Verbose -Force -Allowclobber

wt_2.png

 

Don't forget we need to adjust the execution policy in PowerShell!
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

wt_3.png

 

Note: In order to work with this tool, you need to work with an account that has sufficient rights in Entra ID.

 

To run AzureADRecon (will prompt for credentials):
PS C:\AzureADRecon-master> .\AzureADRecon.ps1
 
However, you can also work with variables first. 
 
PS C:\AzureADRecon-master> $username = "your user principal name"
PS C:\AzureADRecon-master> $passwd = ConvertTo-SecureString "your password" -AsPlainText -Force
PS C:\AzureADRecon-master> $creds = New-Object System.Management.Automation.PSCredential ($username, $passwd)
PS C:\AzureADRecon-master> .\AzureADRecon.ps1 -Credential $creds

 

Note: To get the report as a spreadsheet, Excel must be installed on the system.

 

The report is created in the same folder:

wt_4.png

 

Now open the report and start the investigation and analysis!

aad_1.png

 

User Stats:

aad_2.png

 

Users:

aad_3.png

 

Directory Roles:

aad_4.png

 

Directory Roles Members:

aad_5.png

 

Devices:

aad_6.png

 

Advanced Hunting with Microsoft Sentinel!

 

Now we have detailed information from the Microsoft client. The information was not collected just like that, but because there was a suspicion. Now we continue with advanced hunting in Microsoft Sentinel.
In Microsoft Sentinel, we can directly access the incidents from the overview.

sen_1.png

 
List of incidents:
sen_2.png

 

View full incident details:

sen_3.png

 

Now the deep dive into the incident:

sen_4.png

 

Investigate each incident:

sen_5.png

 

HAPPY INVESTIGATING!

 

I am of course fully aware that this is not a complete and conclusive investigation. My aim in this article was to "give"/describe a good starting point. Thank you for taking the time to read the article.

 

Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler

0 Replies