A highly configurable PowerShell application to provide an automated, repeatable and extendable framework to detect attack activity in EntraID.
CloudSweep is designed for IR teams during an active intrusion to rapidly collect data needed for an investigation as well as to run after an investigation has concluded to ensure the threat actor does not remain in their network. This can also be used on a regular basis as an early indicator of compromise or as part of existing threat hunting activities.
- OAuth2 Applications with known malicious Application IDs
- OAuth2 Applications with suspicious naming conventions (non-alphanumeric names or contain the word "test", etc.).
- OAuth2 Applications that match existing usernames or service principal IDs, automatically normalizing for common permutations
- Suspicious user-agents used to authenticate
- Accounts that may be backdoored via OAuth consent attacks.
Quickly review OAuth applications within EntraID looking for potentially malicious indicators, while also printing out the assigned permissions in human-readable format:
Automatically correlate Users and Service Principal names against registered OAuth Applications within the tenant, automatically normalizing entries for common permutations:
Review signin logs looking for suspicious user-agents on successful sign-ins:
A configurable whitelist is provided to prevent known-good applications within your tenant to appear in further analysis resutls, reducing the need for repeat review:
Identify potentially backdoored accounts through OAuth consent attacks, and saves full signin logs from identified logins to output/signin_logs.json:
- Create a new OAuth2 Application
- Copy the Client Secret and App (client) ID.
- Copy the Tenant ID.
- Put the Client Secret, Client ID and Tenant ID into the ./config/config.json file.
- Assign permissions as listed in the Permissions section.
- Run the application from an administrative PowerShell window.
- The first time you run the tool you will receive multiple "Unknown Application" via the OAuth2 analysis. Copy the application ID into the whitelist.json file to remove these entries from being analyzed in future for known-good applications.
Each of the individual scripts can be run independently depending on your specific needs. To run all scripts together:
- Open an Administrative PowerShell Window
- Run
powershell.exe CloudSweep.ps1 - Profit
- Suspicious reply url: https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants
- Q. How do I get my tenant ID?
- A. Search for "Tenant Properties", the Tenant ID is the fifth option on the front page.
You must assign the following Application permissions (not delegated):
- Application.Read.All
- AuditLog.Read.All
- AuthenticationContext.Read.All
- Directory.Read.All
- Policy.Read.All
- User.Read.All
- UserAuthenticationMethod.Read.All
You then must grant Admin Consent.
Analysis is based on the following research linked below:
- ProofPoint MACT Campaigns
- HuntressLabs Known Bad App IDs
- Microsoft OAuth Attack Flow
- WIZ OAuth Attack Writeup
- PerfectData Software OAuth Attack WriteUp
CloudSweep is only to be used within environments that you either own or have permission to test. This tool will assist with detecting potential threats, however use of this tool does not mean you have detected all potential threats. Regular auditing with a diverse set of tools is recommended. The author accepts no liability for actions taken by its users.