Sparrow

Sparrow.ps1, developed by CISA's Cloud Forensics team, is designed for detecting compromised accounts and applications in Azure and Microsoft 365 (M365) environments, particularly in the context of identity and authentication-based attacks. This tool is designed for incident responders and focuses on a narrow scope of user and application activity relevant to recent intrusions on federated identity sources and applications.

Technically, Sparrow.ps1 relies on PowerShell to collect and analyze data. It checks and installs the necessary PowerShell modules (ExchangeOnlineManagement, AzureAD, and MSOnline) if they are not already present on the analysis machine. The script then queries the unified audit log in Azure/M365 for specific indicators of compromise (IoCs), lists Azure AD domains, and examines Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The output is saved in CSV files located in a designated 'ExportDir' folder.

Operationally, Sparrow.ps1 is straightforward to deploy, requiring no additional installation steps beyond ensuring the necessary permissions are in place. However, it is important to note that the tool is not comprehensive or exhaustive, and its primary function is to narrow down the investigation to specific telemetry relevant to recent identity-based attacks. This approach helps incident responders to quickly focus on high-risk areas but may not cover all possible vectors of compromise.

From a technical details perspective, Sparrow.ps1 leverages the ExchangeOnlineManagement, AzureAD, and MSOnline modules to interact with Azure and M365 services. The script's efficiency in detecting compromised accounts and applications hinges on its ability to quickly parse and analyze the unified audit logs and service principal permissions, although the tool's effectiveness can be limited by the scope of data it collects and the complexity of the attacks it is designed to detect.