top of page
Search

Azure Active Directory Incident Response Cheat Sheet: Tools and Techniques

Updated: Jan 17, 2023



Active Directory (AD) is a critical component of many organizations' IT infrastructure, and incident response is a vital aspect of ensuring the security and availability of AD environments. In this cheat sheet, we'll take a look at some of the key tools and techniques that can be used to perform incident response in Active Directory environments, including detailed "how to use" examples for each tool.


Mandiant Azure AD Investigator

Mandiant Azure AD Investigator is a powerful tool that allows security professionals to quickly and easily investigate Azure AD environments. The tool provides a web-based interface that allows users to search and filter data, view detailed information about users, groups, and applications, and export data in a variety of formats.

Here is an example of how to use the Mandiant Azure AD Investigator to search for all users in an Azure AD environment:

$cred = Get-Credential
Connect-AzureAD -Credential $cred
Search-AzureADUser -SearchString "*"

This example uses the Get-Credential and Connect-AzureAD cmdlets to authenticate to Azure AD, and then the Search-AzureADUser cmdlet to search for all users in the environment.

Another example is how to use the Mandiant Azure AD Investigator to view the group membership of a specific user:

$cred = Get-Credential
Connect-AzureAD -Credential $cred
Get-AzureADUser -ObjectId <user's ObjectId> | Select-Object -ExpandProperty MemberOf

This example uses the Get-Credential and Connect-AzureAD cmdlets to authenticate to Azure AD, and then the Get-AzureADUser cmdlet to get the user's object, and then Select-Object cmdlet to expand the property of MemberOf to list all the groups the user is a member of.


Hawk

Hawk is a PowerShell module that can be used to quickly and easily gather data from Azure AD and Microsoft 365. The tool provides a variety of commands that can be used to query data, such as user information, group membership, and application information.

Here is an example of how to use the Hawk module to get information about all users in an Azure AD environment:

Import-Module Hawk
Connect-Hawk -Credential $cred
Get-HawkUser

This example uses the Import-Module cmdlet to import the Hawk module, the Connect-Hawk cmdlet to authenticate to Azure AD, and then the Get-HawkUser cmdlet to get information about all users in the environment.

Another example is how to use the Hawk module to get information about all the applications in an Azure AD environment:

Import-Module Hawk
Connect-Hawk -Credential $cred
Get-HawkApplication

This example uses the Import-Module cmdlet to import the Hawk module, the Connect-Hawk cmdlet to authenticate to Azure AD, and then the Get-HawkApplication cmdlet to get information about all the applications in the environment.


Azure AD Investigator PowerShell module

The Azure AD Investigator PowerShell module is a powerful tool that can be used to collect data from Azure AD and Microsoft 365 environments. The script provides a variety of commands that can be used to query data, such as user information, group membership, and application information.

Here is an example of how to use the Azure AD Investigator PowerShell module to get information about all groups in an Azure AD environment:

Import-Module AzureADInvestigator
Connect-AzureADInvestigator -Credential $cred
Get-AzureADInvestigatorGroup

This example uses the Import-Module cmdlet to import the Azure AD Investigator module, the Connect-AzureADInvestigator cmdlet to authenticate to Azure AD, and then the Get-AzureADInvestigatorGroup cmdlet to get information about all groups in the environment.

Another example is how to use the Azure AD Investigator PowerShell module to get information about all the service principals in an Azure AD environment:

Import-Module AzureADInvestigator
Connect-AzureADInvestigator -Credential $cred
Get-AzureADInvestigatorServicePrincipal

This example uses the Import-Module cmdlet to import the Azure AD Investigator module, the Connect-AzureADInvestigator cmdlet to authenticate to Azure AD, and then the Get-AzureADInvestigatorServicePrincipal cmdlet to get information about all the service principals in the environment.


Azure AD Config Assessment

Azure AD Config assessment is a PowerShell script that can be used to assess the security of Azure AD environments. The script provides a variety of commands that can be used to query data, such as user information, group membership, and application information.

Here is an example of how to use the Azure AD Config Assessment to create a report of all the application consent grants in an Azure AD environment:

Import-Module AzureADConfigAssessment
Connect-AzureAD -Credential $cred
Create-AppConsentGrantReport.ps1 -OutputFile "C:\temp\AppConsentGrants.csv"

This example uses the Import-Module cmdlet to import the Azure AD Config Assessment module, the Connect-AzureAD cmdlet to authenticate to Azure AD, and then the Create-AppConsentGrantReport.ps1 script to create a report of all the application consent grants in the environment and save it to a specified location.

Another example is how to use the Azure AD Config assessment to check for any stale service principals in an Azure AD environment:

Import-Module AzureADConfigAssessment
Connect-AzureAD -Credential $cred
Get-AzureADConfigStaleServicePrincipal

This example uses the Import-Module cmdlet to import the Azure AD Config Assessment module, the Connect-AzureAD cmdlet to authenticate to Azure AD, and then the Get-AzureADConfigStaleServicePrincipal cmdlet to check for any stale service principals in the environment.


Azure Sentinel Detections

Azure Sentinel is a cloud-native security information and event management (SIEM) solution that enables to detection, investigation, and respond to threats in Azure AD and Microsoft 365. With Azure Sentinel, security professionals can use built-in detection rules, analytics, and hunting queries to detect suspicious activity and anomalies within their AD environment.

Here is an example of how to use Azure Sentinel to create a custom detection rule for detecting suspicious login attempts:

1. Go to Azure Sentinel 
2. Click on "Detection"
3. Click on "New Detection Rule"
4. Select "Custom Log Search"
5. Enter a custom query to search for suspicious login attempts using the Azure AD Sign-in logs.
6. Save the rule and set it to run at regular intervals

Office-365-Extractor

Office-365-Extractor is a tool that allows extracting data from Office 365 environments, it can be useful in incident response scenarios to collect data from different Office 365 services such as Exchange Online, SharePoint Online and OneDrive for Business.

Here is an example of how to use Office-365-Extractor to extract data from an Exchange Online mailbox:

1. Download and install Office-365-Extractor 
2. Open the tool and enter your Office 365 credentials 
3. Select "Exchange Online" and the mailbox you want to extract data from 
4. Choose the desired export format such as .pst, .eml, .csv or .json
5. Start the extraction process

MSOnline PowerShell module

The MSOnline PowerShell module is a powerful tool that can be used to manage and gather data from Azure AD and Microsoft 365 environments. The module provides a variety of commands that can be used to query data, such as user information, group membership, and application information.

Here is an example of how to use the MSOnline PowerShell module to get information about all users in an Azure AD environment:

Import-Module MSOnline
Connect-MsolService -Credential $cred
Get-MsolUser

This example uses the Import-Module cmdlet to import the MSOnline module, the Connect-MsolService cmdlet to authenticate to Azure AD, and then the Get-MsolUser cmdlet to get information about all users in the environment.

Another example is how to use the MSOnline PowerShell module to get information about all the service principals in an Azure AD environment:

Import-Module MSOnline
Connect-MsolService -Credential $cred
Get-MsolServicePrincipal

This example uses the Import-Module cmdlet to import the MSOnline module, the Connect-MsolService cmdlet to authenticate to Azure AD, and then the Get-MsolServicePrincipal cmdlet to get information about all the service principals in the environment.


ExchangeOnlineManagement PowerShell module

The ExchangeOnlineManagement PowerShell module is a tool that allows to management and gather data from Exchange Online environments. It can be useful in incident response scenarios to collect data from Exchange Online mailboxes, such as emails, calendar events, and contacts.

Here is an example of how to use the ExchangeOnlineManagement PowerShell module to extract data from an Exchange Online mailbox:

Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -Credential $cred
Export-ExchangeMailbox -Identity <mailbox> -Path <file path>

This example uses the Import-Module cmdlet to import the ExchangeOnlineManagement module, the Connect-ExchangeOnline cmdlet to authenticate to Exchange Online, and then the Export-ExchangeMailbox cmdlet to extract data from the specified mailbox and save it to a specified location.


CISA Sparrow

CISA Sparrow is a PowerShell script that can be used to perform incident response and forensic analysis in Azure AD and Microsoft 365 environments. The script provides a variety of commands that can be used to query data, such as user information, group membership, and application information.

Here is an example of how to use CISA Sparrow to get information about all the service principals in an Azure AD environment:

Import-Module Sparrow
Connect-Sparrow -Credential $cred
Get-SparrowServicePrincipal

This example uses the Import-Module cmdlet to import the CISA Sparrow module, the Connect-Sparrow cmdlet to authenticate to Azure AD, and then the Get-SparrowServicePrincipal cmdlet to get information about all the service principals in the environment.


AzureADConfigAssessment Create-AppConsentGrantReport.ps1

This script is a part of Azure AD Config Assessment, it's a PowerShell script that can be used to create a report of all the application consent grants in an Azure AD environment, this can be useful to identify any rogue or suspicious application that has been granted permissions.


Azure Hound

Azure Hound is a tool that can be used to automate the collection of forensic data from Azure AD and Microsoft 365 environments. The tool provides a variety of commands that can be used to gather data such as user information, group membership, and application information.

Here is an example of how to use Azure Hound to gather data from an Azure AD environment:

1. Download and install Azure Hound
2. Open the tool and enter your Azure AD credentials
3. Select the data you want to gather such as user information, group membership, and application information
4. Start the data collection process
5. The data will be saved in a specified location in a format that can be easily analyzed and reviewed.

AzureADIncidentResponse

AzureADIncidentResponse is a PowerShell module that can be used to perform incident response in Azure AD and Microsoft 365 environments. The module provides a variety of commands that can be used to query data, such as user information, group membership, and application information.

Here is an example of how to use AzureADIncidentResponse to get information about all the applications in an Azure AD environment:

Import-Module AzureADIncidentResponse
Connect-AzureAD -Credential $cred
Get-AzureADIncidentResponseApplication

This example uses the Import-Module cmdlet to import the AzureADIncidentResponse module, the Connect-AzureAD cmdlet to authenticate to Azure AD, and then the Get-AzureADIncidentResponseApplication cmdlet to get information about all the applications in the environment.


Summary

In conclusion, this cheat sheet provides a comprehensive overview of some of the key tools that can be used for incident response in Active Directory environments. From Mandiant Azure AD Investigator and Hawk to Azure AD Privileged Identity Management (PIM) and Azure Advanced Threat Protection (ATP), the tools highlighted in this article offer a wide range of capabilities to help security professionals detect, investigate, and respond to threats in Azure AD and Microsoft 365 environments.

It's important to note that incident response is a complex process that requires a thorough understanding of your organization's IT infrastructure, as well as the ability to quickly and accurately gather data, analyze it, and take appropriate action. Additionally, it's important to test these tools in a lab environment before using them in a production environment.

Additionally, it's important to remember that incident response is an ongoing process, and it's essential to continuously monitor and analyze your AD environment for potential threats and vulnerabilities, and to have a well-established incident response plan in place. Regularly updating your tools and techniques to stay current with the latest threats and best practices is crucial.


In summary, this cheat sheet provides a useful starting point for those who are new to Active Directory incident response. It's always best to consult the official documentation and support provided by the vendor of the tool. By understanding how to use these tools and incorporating them into your incident response plan, you can help to ensure the security and availability of your organization's AD environment.

Comments

ABOUT THIS SITE

This site is intended for educational purposes in the cybersecurity world. 
All rights reserved to Security Hive only and his owners.

 

GET IN TOUCH

Leave us a message on

Contact page>>

© Security Hive 2020

 
bottom of page