FireEye has introduced a complimentary tool named Azure AD Investigator on GitHub, designed as an auditing script to ascertain whether the SolarWinds Hackers, also recognized as UNC2452, employed specific techniques within their networks.

The Mandiant Azure AD Investigator is currently accessible on GitHub.

The revelation of the SolarWinds hack occurred on December 13, 2020, when FireEye and Microsoft corroborated that a threat actor infiltrated the network of SolarWinds, an IT software provider, and contaminated updates for the Orion app with malware.

The malware, referred to as Sunburst (or Solorigate), was utilized to collect information on infected companies. While the majority of the 18,000 SolarWinds customers using the compromised version of the Orion app were not targeted, the hackers deployed a second strain of malware known as Teardrop for selected targets. Subsequently, they employed various techniques to escalate access within the local network and to the company’s cloud resources, with a specific focus on breaching Microsoft 365 infrastructure.


Mandiant has observed UNC2452 and other threat actors moving laterally to the Microsoft 365 cloud, utilizing a combination of four primary techniques.


  1. Stealing the token-signing certificate of Active Directory Federation Services (AD FS) and utilizing it to fabricate tokens for any user (referred to as Golden SAML) enables attackers to authenticate into a federated resource provider, like Microsoft 365, as any user without requiring the user's password or their associated multi-factor authentication (MFA) mechanism.
  2. Modifying or incorporating trusted domains in Azure AD to introduce a new federated Identity Provider (IdP) under the control of the attacker allows for the fabrication of tokens for arbitrary users, constituting an Azure AD backdoor.
  3. Compromising the credentials of on-premises user accounts synchronized to Microsoft 365, especially those with high-privileged directory roles such as Global Administrator or Application Administrator, is another avenue of attack.
  4. Backdooring an existing Microsoft 365 application involves adding a new application or service principal credential to exploit legitimate permissions assigned to the application. This includes capabilities like reading emails, sending emails on behalf of any user, accessing user calendars, and more.

Key Features of Mandiant Azure AD Investigator:


  • Signing Certificate

The "Signing Certificate Unusual Validity Period" feature of Mandiant Azure AD Investigator focuses on identifying and analyzing digital certificates associated with Active Directory Federation Services (AD FS) that exhibit abnormal validity periods. Digital certificates play a crucial role in secure authentication, and their validity period typically adheres to standard practices. However, threat actors may attempt to exploit weaknesses by employing certificates with unusual validity periods.

Key aspects of this feature include:


1. Certificate Validity Period Analysis: Mandiant Azure AD Investigator actively examines the validity periods of AD FS signing certificates. The tool scrutinizes the start and end dates of these certificates to identify any deviations from expected norms.

2. Detection of Anomalies: The feature is designed to detect certificates with validity periods that fall outside the usual and expected ranges. Anomalies in validity periods can be indicative of malicious activity or attempts to subvert security measures.

3. Indication of Potential Threats: Unusual validity periods in signing certificates can be a red flag for potential security threats. By flagging such anomalies, the tool assists security professionals in identifying potential issues that may require further investigation.

4. Enhanced Security Posture: By proactively identifying certificates with abnormal validity periods, Mandiant Azure AD Investigator contributes to strengthening an organization's security posture. Addressing such anomalies promptly can prevent potential security breaches.

5. Incident Response Support: In the context of incident response, this feature aids security teams in quickly assessing and responding to potential threats related to the misuse of signing certificates.

6. Contextual Analysis: The tool likely provides additional contextual information about the identified certificates, enabling security analysts to understand the broader context of the anomalies and make informed decisions.

In summary, the "Signing Certificate Unusual Validity Period" feature of Mandiant Azure AD Investigator plays a crucial role in flagging potential security risks associated with AD FS signing certificates exhibiting abnormal validity periods, contributing to a proactive and robust cybersecurity defense strategy.


Certifcate Mismatch:


The "Signing Certificate Mismatch" feature of Mandiant Azure AD Investigator is designed to identify and analyze instances where there is a discrepancy or inconsistency between expected and actual signing certificates associated with Active Directory Federation Services (AD FS). This discrepancy could be indicative of potential security threats or attempts to manipulate the authentication process.

Key characteristics of this feature include:

  • Certificate Consistency Check: Mandiant Azure AD Investigator actively checks the consistency of signing certificates within the AD FS environment. It compares the expected or authorized certificates with those actually in use.


  • Detection of Discrepancies: The feature is programmed to detect any mismatch or inconsistency between the anticipated signing certificates and the ones currently active. Such discrepancies may be a result of unauthorized changes or malicious activities.


  • Indication of Security Risks: A signing certificate mismatch is flagged as a potential security risk. This can alert security professionals to investigate further, as it may signify an attempt to compromise the integrity of the authentication process.


  • Immediate Notification: When a signing certificate mismatch is detected, the tool likely provides immediate notifications or alerts to the security team. This allows for swift response and remediation to address any potential threats.


  • Enhanced Authentication Security: By actively monitoring and identifying signing certificate mismatches, the tool contributes to the overall security of the authentication process within the AD FS environment. It helps prevent unauthorized access and maintains the integrity of the authentication infrastructure.


  • Contextual Information: The feature may provide additional contextual information about the detected mismatch, assisting security analysts in understanding the nature and potential impact of the inconsistency.


  • Integration with Incident Response: In the context of incident response, the tool's ability to identify signing certificate mismatches supports security teams in quickly addressing and mitigating security incidents related to unauthorized changes.


In summary, the "Signing Certificate Mismatch" feature of Mandiant Azure AD Investigator plays a vital role in proactively identifying and addressing security risks associated with inconsistencies in AD FS signing certificates. It adds an additional layer of protection to the authentication process, contributing to a robust cybersecurity defense strategy.

Azure AD Backdoor:

Intruders may exploit a clandestine entry point to infiltrate existing Microsoft 365 applications and introduce a new application or service principal credential. This allows them to exploit the authorized permissions assigned to a legitimate application.

As a precautionary measure, every federated domain is configured with any.sts as the Issuer URI—an integral aspect of Mandiant Azure AD Investigator.

Domains in Federation:

Federation encompasses a cluster of trusted domains, primarily facilitating authentication and authorization processes to ensure the trustworthiness of on-premises Active Directory accounts for utilization with Azure AD accounts through Single Sign-On.

Domains without Verification:

The verification of domains is a pivotal procedure to validate the legitimacy of a domain. Mandiant Azure AD Investigator includes a feature that identifies and lists domains that have remained unverified for an extended duration in Azure AD. This aids in enhancing the security posture by addressing potential vulnerabilities associated with unverified domains.