Azure AD Investigator

Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452

Background: In December 2020, FireEye uncovered and publicly disclosed a widespread attacker campaign that is being tracked as UNC2452. In some, but not all, of the intrusions associated with this campaign where Mandiant has visibility, the attacker used their access to on-premises networks to gain unauthorized access to the victim’s Microsoft 365 environment.

Use this script to alert administrators and security practitioners to artifacts that may require further review to determine if they are truly malicious or part of legitimate activity. 

NOTE: This tool is read-only. It does not make any changes to the Microsoft 365 environment.

Visit our Github repo to download the script today.

The Terms of Use for this software are subject to the licensing and terms outlined in the OSS repository.

Learn More


Supported By:FireEye
Resources:White paper (pdf)
Technical blog post
Related blog post about UNC2452

OSS Info

Requirements:REQUIRED MODULES: The PowerShell module requires the installation of three Microsoft 365 PowerShell modules: 1) AzureAD, 2) MSOnline, 3) ExchangeOnlineManagement /// REQUIRED USER PERMISSIONS: The PowerShell module must be run with a Microsoft 365 account assigned specific privileges: 1) Global Administrator or Global Reader role in the Azure AD portal. 2) View-Only Audit Logs in the Exchange Control Panel

Similar Apps

Freeware App