Cybermorans,
AzureHunter is a Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365. One tool you can use when pentesting Azure cloud services and logs đ€
Ensure you have ExchangeOnlineManagement (EXOv2) installed. You can find instructions on the web or go directly to my little KB on how to do it at the soc analyst scrolls. You can either Clone the Repo or Install AzureHunter from the PSGallery. Lets clone it!
Cloning the Repo
Clone this repository
Import the module Import-Module .\source\AzureHunter.psd1
Install AzureHunter from the PSGallery
If you wish, On your terminal, type and run đ
Install-Module AzureHunter -Scope CurrentUser Import-Module AzureHunterWhat is the UnifiedAuditLog?
The unified audit log contains user, group, application, domain, and directory activities performed in the Microsoft 365 admin center or in the Azure management portal.
The UnifiedAuditLog is a great source of cloud forensic information since it contains a wealth of data on multiple types of cloud operations like ExchangeItems, SharePoint, Azure AD, OneDrive, Data Governance, Data Loss Prevention, Windows Defender Alerts and Quarantine events, Threat intelligence events in Microsoft Defender for Office 365 and the list goes on and on!
Data Consistency Checks
AzureHunter implements some useful logic to ensure that the highest log density is mined and exported from Azure & O365 Audit Logs. In order to do this, we run two different operations for each cycle (batch):
Automatic Window Time Reduction: this check ensures that the time interval is reduced to the optimal interval based on the ResultSizeUpperThreshold parameter which by default is 20k. This means, if the amounts of logs returned within your designated TimeInterval is higher than ResultSizeUpperThreshold, then an automatic adjustment will take place.
Sequential Data Check: are the returned Record Indexes sequentially valid?
Using the Hunter
It's recommended that you run Connect-ExchangeOnline before running any AzureHunter commands. The program checks for an active remote session and attempts to connect but some versions of Powershell don't allow this and you need to do it yourself regardless.
Run AzureHunter
AzureHunter has two main commands:
Search-AzureCloudUnifiedLog and, Invoke-AzHunterPlaybook.
The purpose of Search-AzureCloudUnifiedLog is to implement a complex logic to ensure that the highest percentage of UnifiedAuditLog records are mined from Azure. By default, it will export extracted and deduplicated records to a CSV file.
The purpose of Invoke-AzHunterPlaybook is to provide a flexible interface into hunting playbooks stored in the playbooks folder. These playbooks are designed so that anyone can contribute with their own analytics and ideas. So far, only two very simple playbooks have been developed.
AzHunter.Playbook.Exporter and AzHunter.Playbook.LogonAnalyser.
đ The Exporter takes care of exporting records after applying de-duplication and sorting operations to the data.
đ The LogonAnalyser is in beta mode and extracts events where the Operations property is UserLoggedIn.
Examples
1. Run search on Azure UnifiedAuditLog and extract records to CSV file đ
Search-AzureCloudUnifiedLog -StartDate "2020-03-06T10:00:00" -EndDate "2020-06-09T12:40:00" -TimeInterval 12 -AggregatedResultsFlushSize 5000 -v
This command will:
Search data between the dates in StartDate and EndDate
Implement a window of 12 hours between these dates, which will be used to sweep the entire length of the time interval (StartDate --> EndDate).
The AggregatedResultsFlushSize parameter speficies the batches of records that will be processed by downstream playbooks. We are telling AzureHunter here to process the batch of records once the total amount reaches 5000. This way, you can get results on the fly, without having to wait for hours until a huge span of records is exported to CSV files.
2. Run Hunting Playbooks on CSV File
So you have exported UnifiedAuditLog records to a CSV file, if so you can then do đ
$RecordArray = Import-Csv .\my-exported-records.csv Invoke-AzHunterPlaybook -Records $RecordArray -Playbooks 'AzHunter.Playbook.UAL.LogonAnalyser'Since the aftermath of the SolarWinds Supply Chain Compromise many tools have emerged out of deep forges of cyberforensicators, carefully developed by cyber blacksmith ninjas.
Azure cloud forensic tools don't usually address the complications of the Powershell API for the UnifiedAuditLog. This API is unstable and inconsistent when exporting large quantities of data.
Azure cloud forensic tools don't usually put focus on developing extensible Playbooks. I wanted to come up with a simple framework that would help the community create and share new playbooks to extract different types of meaning off the same data.
If, however, you are looking for a more feature rich and mature application for Azure Cloud Forensics, check out:
Conclusion
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware and the technical aspect of vulnerabilities as well as how an attacker may use this vulnerability as an attack vector and other Infosec stuff...đ
Morans,
Thank you for your time, Like and leave a comment/review and as always, stay awesome! đđ đȘ
Comments