Account Login (AMP)
Detecting Post-Compromise Threat Activity in Microsoft Cloud

Detecting Post-Compromise Threat Activity in Microsoft Cloud

Original release date: January 8, 2021 | Last revised: April 15, 2021


This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

Updated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House. For more information on SolarWinds-related activity, go to and

This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.

This Alert also addresses activity—irrespective of the initial access vector leveraged—that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs) feature three key components:

Compromising or bypassing federated identity solutions;
Using forged authentication tokens to move laterally to Microsoft cloud environments; and
Using privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.

This Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools—including a CISA-developed tool, Sparrow—for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity.

Note: this Alert describes artifacts—presented by these attacks—from which CISA has identified detectable evidence of the threat actor’s initial objectives. CISA continues to analyze the threat actor’s follow-on objectives.

Technical Details

Frequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Sunburst).[1] However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.

CISA observed this threat actor moving from user context to administrator rights for Privilege Escalation [TA0004] within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers—without having those claims checked against the identity provider—and then to move laterally to Microsoft Cloud environments (Lateral Movement [TA0008]).

The threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication. This activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move laterally (Lateral Movement [TA0008]) through trust boundaries, evade defenses and detection (Defense Evasion [TA0005]), and steal sensitive data (Collection [TA0009]).

This level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain administrative control before recovering.

TLP-WHITE Alert (AA21-008A) Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments 1.8.21

Contact Information

CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at

1-888-282-0870 (From outside the United States: +1-703-235-8832) (UNCLASS) (SIPRNET) (JWICS)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at


Azure Active Directory Workbook to Assess Solorigate Risk:

Volexity – Dark Halo Leverages SolarWinds Compromise to Breach Organizations:

How to Find Activity with Sentinel:

Third-Party Walkthrough of the Attack:

National Security Agency Advisory on Detecting Abuse of Authentication Mechanisms:

Microsoft 365 App for Splunk:

CISA Remediation Guidance:


[1] ZDNet: A Second Hacking Group has Targeted SolarWinds Systems [2] CISA: Supply Chain Compromise [3] Microsoft SolarWinds Post-Compromise Hunting with Azure Sentinel [4] Microsoft Solorigate Resource Center [5] Advanced Audit in Microsoft 365 [6] Microsoft: Understanding “Solorigate’s” Identity IOCs [7] Detection and Hunting of Golden SAML Attack: [8] Ibid [9] Ibid [10] Microsoft: AADServicePrincipalSignInLogs [11] Microsoft: Understanding “Solorigate’s” Identity IOCs [12] Azure Active Directory Sign-in Activity Reports [13] CrowdStrike: CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory [14] Microsoft 365 App for Splunk


Initial version: January 8, 2021 February 4, 2021: Removed link and section for outdated product feedback form April 8, 2021: Added Aviary Dashboard information April 15, 2021: Added Attribution Statement

This product is provided subject to this Notification and this Privacy & Use policy.

Did you find this article helpful? Please share below and let us know via LinkedIn or Twitter as we would love to hear from you. As always, we’re here if you need someone to assist in making ensure that you always have the strongest infrastructure: Hire Us!
About the Contributor
The Team @ EntreBase
We are a Veteran Owned full service Information Technology (IT) company offering Secure Cloud and Cyber Information Technology Infrastructure, Services and Support to the virtual workforce.