Active Directory PowerShell

With the recent announcement of the SolarWinds attack Microsoft has provide additional signals for Azure Sentinel to help detect activity related to this attack. However, if you don’t have Azure Sentinel setup, you will have to manually search your Unified Audit Log for activity. To help with that, I’ve put together a few scripts that may help you quickly identify suspicious activity using PowerShell.

Note: These scripts should not be considered exhaustive for this observed activity, but they are a good starting point to help you find what you need. For complete details on this and the detections, please refer to the Customer Guidance on Recent Nation-State Cyber Attacks from Microsoft Security Response Center.

For each detection, I tried to provide the minimal amount of filtering, so you can see as much data as you need, and filter as needed. These scripts are based on the Kusto queries in Azure Sentinel. Each one contains a link to the query, so you can see the full filtering and matching Microsoft suggests.

Anomalous Azure Active Directory PowerShell behavior

This will search the Azure AD sign-in logs to users or applications that used Azure Active Directory PowerShell to access non-Active Directory resources.

Source: Azure Active Directory PowerShell accessing non-AAD resources

New access credential added to OAuth Application or Service Principal

This will search the audit logs and show when an admin or app owner account has added a new credential to an Application or Service Principal.

Keep in mind this script does not filter as deeply as the Microsoft Sentinel query. In theirs they are filter out results that don’t have an “@” in the UPN or Display Name. This appears to filter out any internal Azure ones that get created. You can filter these from your results with a simple Where-Object clause. See the full source linked below for all the filtering they are doing.

Source: New access credential added to Application or Service Principal

Modified domain federation trust settings

This will search the audit logs for modifications to the federation setting on your domain.

Source: Modified domain federation trust settings

This post id offered “as is”, with no guarantee that this code or psuedocode will work in your environment, and that the information will not change. Links have been provided to the original sources so that you can check if any of the guidance from Microsoft has changed.