Simple hunting script for hunting sussy M365 OAuth Apps.
This is a very quick triage script that does the following:
- Uses device code authentication or the Azure SDK web login module to retrieve a token for a user that is scoped to perform Graph API calls.
- Uses that token to call the Graph API to enumerate the user's tenant and collect the the tenant's applications and service principals.
- Runs several hunting rules against the collected output.
- Organizes and color codes the results.
💡 You will need to authenticate with a user that can run queries against the Graph API. I have not tested the script outside of my own testbed tenant and can't guarantee it works everywhere.
- Clone the directory and change directories into it.
- Install the dependencies:
$ pip3 install -r requirements.txt
(See the docker quickstart if you don't want to fuss with venv and dependencies)
- Run the script with your desired authentication type (supports device code authentication by default and web browser interactive login with the Azure SDK). You can also specify
--outputfor the outfile
$ python3 main.py --auth-mode [device_code, azure_sdk] [--output] [outfile.json]
- If using device code, go to the link in the output (https://microsoft.com/devicelogin)
-
Enter the code provided by the script.
-
Authenticate with a user that can call the Graph API. Enter your username, password, and complete MFA.
-
The prompt will read "Are you trying to sign into Microsoft Office?" The script is using device code authentication with the Microsoft Office client ID to retrieve a token after authentication. Select "Continue"
⚠ I find it necessary to remind people: NEVER, EVER, EVER EVER EVER enter a device code from an untrusted source. If you receive one unprompted from an email and it says to go to the legit Microsoft page and enter it, DO NOT ENTER IT.
In this case, we are generating the code and retrieving it in-band by using the script, so we're good 👍
The script will handle the rest! If it finds any suspicious apps, it will print out the application's information along with a color coding for the confidence of the finding.
This is tricky to use with things like containers and WSL, so I'd recommend using device code auth if you're in that position
- If using the web browser auth, the browser will open to the Microsoft login portal. Sign in with your username, password, and MFA.
- The script will handle the rest!
I hate Python dependencies too, so I threw in a simple Dockerfile to run the script:
$ docker build -t cazadora . && docker run -it cazadora
Then, follow the instructions like normal. This likely won't work well if you're using the interactive web portal login option but it works just fine with device code auth.
This script hunts for a small collection of observed OAuth TTPs. These TTPs come from threat intel and observing OAuth application tradecraft from researching the Huntress partner tenants at scale. This script looks for the following:
- Apps with only non-alphanumeric characters in the name (i.e.: apps named "...")
- Apps named after an identity in the tenant, especially if that identity is the assigned user for the app (i.e., an app named "[email protected]")
- Apps named "test", "test app", or something similar.
- Apps with a reply URL that matches:
http://localhost:[some_port_number]/accesswith or without a trailing forward slash. - Apps that we consider to be Traitorware.
- https://huntresslabs.github.io/rogueapps/
- https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants
- https://www.proofpoint.com/us/blog/email-and-cloud-threats/defeating-malicious-application-creation-attacks
This script cannot definitively prove that your tenant does not have any suspicious applications installed in it. The absence of evidence is never the evidence of absense. Please do your own due diligence during investigation, whether this script identifies potentially suspicious apps or not.
This script is distributed with a hope that it will be useful, but we (myself and Huntress) do not make any promises or guarantees about its efficacy. Please see the LICENSE file for more info.