cisagov/Sparrow cisagov/Sparrow

  • This repository has been archived on 27/Dec/2022
  • Stars
    star
    1,371
  • Rank 33,501 (Top 0.7 %)
  • Language
    PowerShell
  • License
    Creative Commons ...
  • Created over 3 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
cisagov/Sparrow
github

cisagov

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.

This repo is archived as of 27 Dec 2022 - and is no longer being maintained.

Aviary

Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary--a Splunk-base dashboard--facilitates analysis of Sparrow data outputs.

To download Aviary, visit releases.

Sparrow.ps1

Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment. The tool is intended for use by incident responders, and focuses on the narrow scope of user and application activity endemic to identity and authentication based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data, and is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications.

Sparrow.ps1 will check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/M365 for certain indicators of compromise (IoC's), list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files that are located in the user's default home directory in a folder called 'ExportDir' (ie: Desktop/ExportDir).

For more guidance on how to use Sparrow and Aviary, please see: https://us-cert.cisa.gov/ncas/alerts/aa21-008a

Requirements

The following AzureAD/m365 permissions are required to run Sparrow.ps1, and provide it read-only access to the Tenant.

  • Azure Active Directory:
    • Security Reader
  • Security and Compliance Center:
    • Compliance Administrator
  • Exchange Online Admin Center: Utilize a custom group for these specific permissions:
    • Mail Recipients
    • Security Group Creation and Membership
    • User options
    • View-Only Audit log
    • View-Only Configuration
    • View-Only Recipients

To check for the MailItemsAccessed Operation, your tenant organization requires an Office 365 or Microsoft 365 E5/G5 license.

Unified Audit Logs will need to be enabled.

Installation

Sparrow.ps1 does not require any extra steps for installation once the permissions detailed in Requirements are satisfied.

The function, Check-PSModules, will check to see if the three required PowerShell modules are installed on the system and if not, it will use the default PowerShell repository on the system to reach out and install. If the modules are present but not imported, the script will also import the missing modules so that they are ready for use.

The required PowerShell modules:

To install the PowerShell modules, run the following commands:

Install-Module ExchangeOnlineManagement
Install-Module AzureAD
Install-Module MSOnline

Usage

To download and run Sparrow.ps1, type the following command into a PowerShell window (assuming file is in your working directory):

Invoke-WebRequest 'https://github.com/cisagov/Sparrow/raw/develop/Sparrow.ps1' -OutFile 'Sparrow.ps1' -UseBasicParsing; .\Sparrow.ps1

Using Behind A Proxy

If you are executing the script from behind a proxy, you may need to run the following commands, substituting your proxy server prior to execution:

[System.Net.WebRequest]::DefaultWebProxy = New-Object System.Net.WebProxy('http://proxyname:port')
[System.Net.WebRequest]::DefaultWebProxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials

Issues

If you have issues using the code, open an issue on the repository!

You can do this by clicking "Issues" at the top and clicking "New Issue" on the following page.

Contributing

We welcome contributions! Please see here for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

Legal Disclaimer

NOTICE

This software package (“software” or “code”) was created by the United States Government and is not subject to copyright. You may use, modify, or redistribute the code in any manner. However, you may not subsequently copyright the code as it is distributed. The United States Government makes no claim of copyright on the changes you effect, nor will it restrict your distribution of bona fide changes to the software. If you decide to update or redistribute the code, please include this notice with the code. Where relevant, we ask that you credit the Cybersecurity and Infrastructure Security Agency with the following statement: “Original code developed by the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security.”

USE THIS SOFTWARE AT YOUR OWN RISK. THIS SOFTWARE COMES WITH NO WARRANTY, EITHER EXPRESS OR IMPLIED. THE UNITED STATES GOVERNMENT ASSUMES NO LIABILITY FOR THE USE OR MISUSE OF THIS SOFTWARE OR ITS DERIVATIVES.

THIS SOFTWARE IS OFFERED “AS-IS.” THE UNITED STATES GOVERNMENT WILL NOT INSTALL, REMOVE, OPERATE OR SUPPORT THIS SOFTWARE AT YOUR REQUEST. IF YOU ARE UNSURE OF HOW THIS SOFTWARE WILL INTERACT WITH YOUR SYSTEM, DO NOT USE IT.

More Repositories

1

RedEye

RedEye is a visual analytic tool supporting Red & Blue Team operations
TypeScript
2,613
star
2

Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
Python
1,504
star
3

ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
Open Policy Agent
1,430
star
4

cset

Cybersecurity Evaluation Tool
TSQL
1,305
star
5

log4j-scanner

log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
Java
1,262
star
6

log4j-affected-db

A community sourced list of log4j-affected software
Shell
1,115
star
7

CHIRP

A DFIR tool written in Python.
Python
1,040
star
8

decider

A web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.
HTML
1,021
star
9

LME

Logging Made Easy (LME) is a no-cost and open logging and protective monitoring solution serving all organizations.
Python
757
star
10

untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Python
699
star
11

pshtt

Scan domains and return data based on HTTPS best practices
Python
668
star
12

crossfeed

External monitoring for organization assets
TypeScript
320
star
13

ESXiArgs-Recover

A tool to recover from ESXiArgs ransomware
Shell
293
star
14

bad-practices

CISA's catalog of bad practices that are exceptionally risky.
Shell
181
star
15

development-guide

A set of guidelines and best practices for an awesome engineering team
Python
180
star
16

trustymail

Scan domains and return data based on trustworthy email best practices
Python
180
star
17

cyber.dhs.gov

A site for CISA directives
SCSS
138
star
18

ScubaGoggles

SCuBA Security Configuration Baselines and assessment tool for Google Workspace
Open Policy Agent
125
star
19

dotgov-data

Official list of .gov domains
108
star
20

check-cve-2019-19781

Test a host for susceptibility to CVE-2019-19781
Python
105
star
21

ICSNPP

Industrial Control Systems Network Protocol Parsers
104
star
22

findcdn

findCDN is a tool created to help accurately identify what CDN a domain is using.
Python
92
star
23

prescup-challenges

President's Cup Cybersecurity Competition Challenges
Python
78
star
24

ansible-role-cobalt-strike

An Ansible role for installing Cobalt Strike.
HCL
66
star
25

parsnip

Python
62
star
26

shareable-soar-workflows

This is a repository of vendor-agnostic workflows provided for those interested in deploying Security Orchestration, Automation, and Response capabilities within their organizations.
62
star
27

cybersecurity-performance-goals

CISA's space for collaboration on the Cybersecurity Performance Goals.
Shell
53
star
28

PNT-Integrity

The PNT Integrity Library provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
C++
49
star
29

join-cisagov

CISA is hiring! We’re looking for candidates passionate about our mission to lead the national effort to understand and manage cyber and physical risk to our critical infrastructure.
Shell
45
star
30

gophish-tools

Helpful tools for interacting with a GoPhish phishing instance
Python
40
star
31

ioc-scanner

Search a filesystem for indicators of compromise (IoC).
Python
39
star
32

gophish-docker

Docker container for the gophish phishing framework.
Shell
33
star
33

vdp-in-fceb

Vulnerability disclosure policies in the US Government's executive branch
32
star
34

Epsilon

The Epsilon Algorithm Suite provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
Python
31
star
35

pca-gophish-composition

Phishing campaign docker composition for Gophish
Shell
31
star
36

check-your-pulse

This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.
Python
28
star
37

getgov

Building a new .gov registrar for a bright .gov future
Python
27
star
38

postfix-docker

Docker container with a postfix server designed for use during phishing campaigns
Shell
26
star
39

dotgov-home

Homepage for the .gov registry
SCSS
25
star
40

assessment-reporting-engine

Python
24
star
41

skeleton-python-library

A skeleton project for quickly getting a new cisagov Python library started.
Python
19
star
42

scanner

Automated pshtt, trustymail, and sslyze scanning
Shell
18
star
43

cyhy_amis

AWS infrastructure for Cyber Hygiene and BOD 18-01 scanning
HCL
16
star
44

icsnpp-opcua-binary

Zeek OPCUA Binary Parser - CISA ICSNPP
JavaScript
14
star
45

admiral

Distributed certificate transparency log harvester
Python
14
star
46

skeleton-docker

A skeleton project for quickly getting a new cisagov Docker container started.
Shell
14
star
47

icsnpp-enip

Zeek Ethernet/IP and CIP Parser - CISA ICSNPP
Zeek
13
star
48

pe-reports

Automated process to build and distribute Posture & Exposure Reports' bi-weekly to customers.
Python
13
star
49

icsnpp-bacnet

Zeek BACnet Parser - CISA ICSNPP
JavaScript
12
star
50

ansible-role-clamav

Ansible role to install and enable the ClamAV virus scanner
Shell
12
star
51

lambda_functions

Generate AWS Lambda environment zip files for use by cisagov/domain-scan
Shell
12
star
52

icsnpp-s7comm

Zeek S7comm, S7comm-plus, and COTP Parser - CISA ICSNPP
JavaScript
11
star
53

network-architecture-verification-and-validation

The NAVV (Network Architecture Verification and Validation) tool creates a spreadsheet for network traffic analysis from PCAP data and Zeek logs, automating Zeek analysis of PCAP files, the collation of Zeek logs and the dissection of conn.log and dns.log to create a summary or network traffic in an XLSX-formatted spreadsheet.
Python
11
star
54

docker-kali-ansible

A systemd-enabled Kali Linux Docker image, in the spirit of geerlingguy/docker-debian11-ansible.
Dockerfile
10
star
55

tic3.0

Collaborating on Trusted Internet Connection 3.0 use cases
10
star
56

icsnpp-genisys

Industrial Control Systems Network Protocol Parsers (ICSNPP) - Genisys over TCP/IP
Python
10
star
57

gh-skeleton

This extension for the gh CLI provides the ability to easily start new projects from our existing library of skeleton repositories.
Shell
10
star
58

scoping-validation-tool

SVT is a tool that can be used to verify ownership and location of assets during the scoping process of a penetration test.
Python
9
star
59

orchestrator

Orchestrate gatherer, scanner, saver, and trustymail_reporter
Shell
9
star
60

pshtt_reporter

Generate HTTPS reports based on scan data
Python
9
star
61

cyhy-mailer

Email Cyber Hygiene, Trustworthy Email, and HTTPS reports to the appropriate technical or distribution addresses
Python
9
star
62

trustymail_reporter

Generate Trustworthy Email reports based on scan data
Python
9
star
63

pre-commit-packer

Provides pre-commit hooks for Packer projects.
Shell
9
star
64

nessus-packer

Create machine images containing the Nessus vulnerability scanner
HCL
9
star
65

domain-manager-api

Flask API for Domain Manager
Python
9
star
66

gatherer

Gather domains as a precursor to scanning
Shell
9
star
67

certboto-docker

Certbot container that stores its configuration in an AWS S3 bucket
Shell
9
star
68

icsnpp-modbus

Zeek Modbus Extension Scripts - CISA ICSNPP
Zeek
8
star
69

aws-profile-sync

Synchronize AWS credential profiles from remote sources
Python
8
star
70

ansible-role-kali

An Ansible role for provisioning kali
HCL
8
star
71

icsnpp-dnp3

Zeek DNP3 Extension Scripts - CISA ICSNPP
Zeek
8
star
72

dmarc-import

A tool for parsing DMARC aggregate reports.
Python
8
star
73

icsnpp-bsap-ip

Zeek BSAP over IP Parser - CISA ICSNPP
JavaScript
8
star
74

CISASuite

The CSET, Malcom, Con-PCA suite of tools
HTML
8
star
75

skeleton-generic

A generic skeleton project for quickly getting a new cisagov project started.
Shell
8
star
76

icsnpp-ethercat

Zeek Ethercat Parser - CISA ICSNPP
C++
8
star
77

Sogu

This script generates a list of possible SOGU filenames based on serial numbers of active drives. It has the added functionality of searching each drive from the generated file list.
PowerShell
8
star
78

travis-wait-improved

A tool to help long-running, yet reticent, processes avoid death at the hands of Traivs-CI.
Python
7
star
79

con-pca-api

API Docker Container for Con-PCA
HTML
7
star
80

.dotfiles

Generic set of dotfiles to get you started with a cisagov development environment
Shell
7
star
81

domain-manager-ui

UI for the Domain Manager
HTML
7
star
82

pen-testing-findings

A collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses that may be discovered during a penetration test.
7
star
83

vulnerable-instances

Virtual machines that are set up with a variety of known vulnerabilities.
HCL
7
star
84

openvpn-server-tf-module

Terraform module to create an OpenVPN server instance
HCL
6
star
85

scan-target-data

Contains data used to identify targets for scanning
Shell
6
star
86

ansible-role-burp-suite-pro

An Ansible role for installing Burp Suite Professional
HCL
6
star
87

con-pca-web

The website source and terraform code for continuous phishing assessment.
HTML
6
star
88

kali-packer

This project can be used to create AMIs based on Kali Linux, a penetration testing distribution.
HCL
6
star
89

security-contact-finder

Making government security contacts accessible
CSS
6
star
90

saver

Save scan results to a database
Python
6
star
91

con-pca-cicd

continuous phishing main repository
HCL
6
star
92

megazord-composition

Shell
6
star
93

ansible-role-openvpn

Ansible role to install an OpenVPN server and configure it to authenticate users certificates against FreeIPA.
Shell
6
star
94

ansible-role-amazon-efs-utils

An Ansible role for installing aws/efs-utils
Shell
5
star
95

PNT-Integrity-Toolkit

The PNT Integrity DIY Toolkit describes how a perspective end-user of the PNT Integrity Library can assemble a demonstrational toolkit with commercial-off-the-shelf (COTS) hardware.
C++
5
star
96

awssh

Tool to simplify secure shell connections over AWS simple systems manager.
Python
5
star
97

sslyze-lambda

AWS Lambda function for sslyze
Python
5
star
98

cyhy-core

Python
5
star
99

cool-assessment-terraform

Terraform to deploy an assessment environment to the COOL
HCL
5
star
100

ncats-data-dictionary

Shell
5
star