CrowdStrike Reporting Tool for Azure
This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard to find permissions and configuration settings in order to assist organizations in securing these environments.
Exchange Online (O365):
- Federation Configuration
- Federation Trust
- Client Access Settings Configured on Mailboxes
- Mail Forwarding Rules for Remote Domains
- Mailbox SMTP Forwarding Rules
- Mail Transport Rules
- Delegates with ‘Full Access’ Permission Granted
- Delegates with Any Permissions Granted
- Delegates with ‘Send As’ or ‘SendOnBehalf’ Permissions
- Exchange Online PowerShell Enabled Users
- Users with ‘Audit Bypass’ Enabled
- Mailboxes Hidden from the Global Address List (GAL)
- Collect administrator audit logging configuration settings.
- Service Principal Objects with KeyCredentials
- O365 Admin Groups Report
- Delegated Permissions & Application Permissions
Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment. The tool is intended for use by incident responders, and focuses on the narrow scope of user and application activity endemic to identity and authentication based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data, and is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications.