Source: GitHub Author: unknown URL: https://github.com/HuskyHacks/cazadora

ONE SENTENCE SUMMARY:

A quick triage script for detecting suspicious Microsoft 365 OAuth apps using Graph API authentication and predefined hunting rules.

MAIN POINTS:

1. Uses device code or Azure SDK authentication to retrieve a Graph API token.
2. Enumerates a tenant’s applications and service principals via the Graph API.
3. Runs hunting rules against collected data to identify suspicious apps.
4. Outputs results with color coding based on confidence levels.
5. Requires user authentication with Graph API query permissions.
6. Supports running in a Docker container for dependency management.
7. Flags suspicious apps based on naming conventions and reply URLs.
8. Highlights risks of default user consent settings in Microsoft 365.
9. Recommends configuring user consent settings to prevent unauthorized app installations.
10. Does not guarantee complete detection of suspicious applications.

TAKEAWAYS:

1. The script helps identify potentially malicious OAuth apps in a Microsoft 365 tenant.
2. Authentication is required via device code or Azure SDK web login.
3. Suspicious apps are flagged based on predefined threat intelligence rules.
4. Users should configure consent settings to limit unauthorized app installations.
5. The script is a helpful tool but not a definitive security solution.