Serious Discussion Azure Tenant Scanning

Exceedinglife

Exceedinglife

New Member
Thread author
Sep 24, 2024
1
Hello everyone,

I deal with business email compromises pretty often. I created a script that checks an email account and I can verify if its been hit or not pretty quickly.
Usually these users are not global admins, however, the other day I had 1 that was a GA and I searched the tenant.
I found an email connector in exchange online, and also found an app registration allowing the APT access to the tenant and to spin up cloud resources.
I checked for new VMs and didnt find anything.

Does anyone have a script to check an azure tenant for malicious activity?
Auditing was also not turned on on this tenant, so I enabled that right away...

I'm working with another company who just been ransomwared and their DFIR firm has a script to check tenants quickly if the threat actor was in it or not.
Of course the script is in house and they wont share it with me, but I would love a script like that!
If not I could create one, but I just need to know what I would be looking for in a tenant for malicious activity.
- Sign-in Logs
- App registrations
- email connectors
- email rules, forwarding, delegates

Not really sure what else at this point in time.

Thank you all!
 
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,315
Hi,

You're on the right track. In addition to what you've mentioned, you might want to look for:

- Unusual data access or movement patterns
- Changes in user roles and permissions
- Unusual location or IP addresses in sign-in logs
- Creation of new resources or services
- Changes in network settings or security configurations

You can use Azure Security Center and Azure Sentinel for advanced threat protection and security analytics. Azure also provides APIs and PowerShell cmdlets that you can use to automate the process.

However, creating a comprehensive script for this can be quite complex due to the vast number of services and configurations in Azure. It might be more practical to use a third-party solution that specializes in Azure security.

Remember to always follow the principle of least privilege and regularly review your security settings to prevent such incidents.

Good luck!
 

Similar threads

TangentLiny
    • HaHa
Serious Discussion Cyberstalker infiltrated into my system? How?
Replies
16
Views
848
General Security Discussions
lokamoka820
lokamoka820
Nunzio_77
    • Like
Serious Discussion Data leak: Avast Free or Bitdefender Free?
Replies
28
Views
2,318
General Security Discussions
ifacedown
ifacedown
F
    • Like
    • +Reputation
Unauthorized Access to Cross-Tenant Applications in a Microsoft Azure Service
Replies
2
Views
1,255
News Archive
Freki123
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top