The DHS Cybersecurity and Infrastructure Security Agency (CISA) has introduced a brand new tool to go with the open-source Sparrow detection tool based on PowerShell that was launched in December 2020 to support network defenders in detecting likely breached accounts in their Microsoft 365, Office 365 and Azure environments.
Sparrow was developed after the cyberattack on SolarWinds to assist network defenders to determine whether or not their cloud environments had been breached. The new tool, called Aviary, uses a Splunk-based dashboard to picture and review data outputs coming from the Sparrow tool to recognize post-breach threat activity in Microsoft 365, Office 365 and Azure accounts.
The dashboard in Aviary allows network defenders to review PowerShell logs and evaluate mailbox log-ins to identify whether the activity is legit. By means of the dashboard, it is possible to evaluate PowerShell usage by employees together with Azure AD domains to find out whether they were altered.
CISA is urging network defenders to evaluate the earlier presented AA21-008A information on sensing post-breach activity in Microsoft Cloud environments, which has been modified recently to contain guidelines on utilizing the Aviary dashboard. The Aviary dashboard can be downloaded on the Sparrow GitHub pages of CISA.
To utilize the Aviary dashboard, users must take the following steps:
- use Sparrow logs
- the Aviary .xml code must be imported into the dashboard
- connect Aviary to Sparrow data through the index and host selection
- evaluate the result
Aside from these tools, CISA launched the CHIRP IOC detection tool based in Python in March, which may be utilized to discover indications of malicious activity connected to the SolarWinds cyberattack on Windows OS inside an on-premises setting. The tool inspects Windows events records and the Windows registry for proof of attacks, and may be employed to request Windows artifacts and implement YARA rules to identify malware, backdoors, and included malicious code.