Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Azure Tenant Scanning
Message
<blockquote data-quote="Exceedinglife" data-source="post: 1102722" data-attributes="member: 117089"><p>Hello everyone,</p><p></p><p>I deal with business email compromises pretty often. I created a script that checks an email account and I can verify if its been hit or not pretty quickly.</p><p>Usually these users are not global admins, however, the other day I had 1 that was a GA and I searched the tenant.</p><p>I found an email connector in exchange online, and also found an app registration allowing the APT access to the tenant and to spin up cloud resources.</p><p>I checked for new VMs and didnt find anything.</p><p></p><p>Does anyone have a script to check an azure tenant for malicious activity?</p><p>Auditing was also not turned on on this tenant, so I enabled that right away...</p><p></p><p>I'm working with another company who just been ransomwared and their DFIR firm has a script to check tenants quickly if the threat actor was in it or not.</p><p>Of course the script is in house and they wont share it with me, but I would love a script like that!</p><p>If not I could create one, but I just need to know what I would be looking for in a tenant for malicious activity.</p><p>- Sign-in Logs</p><p>- App registrations</p><p>- email connectors</p><p>- email rules, forwarding, delegates</p><p></p><p>Not really sure what else at this point in time.</p><p></p><p>Thank you all!</p></blockquote><p></p>
[QUOTE="Exceedinglife, post: 1102722, member: 117089"] Hello everyone, I deal with business email compromises pretty often. I created a script that checks an email account and I can verify if its been hit or not pretty quickly. Usually these users are not global admins, however, the other day I had 1 that was a GA and I searched the tenant. I found an email connector in exchange online, and also found an app registration allowing the APT access to the tenant and to spin up cloud resources. I checked for new VMs and didnt find anything. Does anyone have a script to check an azure tenant for malicious activity? Auditing was also not turned on on this tenant, so I enabled that right away... I'm working with another company who just been ransomwared and their DFIR firm has a script to check tenants quickly if the threat actor was in it or not. Of course the script is in house and they wont share it with me, but I would love a script like that! If not I could create one, but I just need to know what I would be looking for in a tenant for malicious activity. - Sign-in Logs - App registrations - email connectors - email rules, forwarding, delegates Not really sure what else at this point in time. Thank you all! [/QUOTE]
Insert quotes…
Verification
Post reply
Top
