Source: GitHub Author: unknown URL: https://github.com/HuskyHacks/cazadora
-
ONE SENTENCE SUMMARY: A quick triage script for detecting suspicious Microsoft 365 OAuth apps using Graph API authentication and predefined hunting rules.
-
MAIN POINTS:
-
Uses device code or Azure SDK authentication to retrieve a Graph API token.
-
Enumerates a tenant’s applications and service principals via the Graph API.
-
Runs hunting rules against collected data to identify suspicious apps.
-
Outputs results with color coding based on confidence levels.
-
Requires user authentication with Graph API query permissions.
-
Supports running in a Docker container for dependency management.
-
Flags suspicious apps based on naming conventions and reply URLs.
-
Highlights risks of default user consent settings in Microsoft 365.
-
Recommends configuring user consent settings to prevent unauthorized app installations.
-
Does not guarantee complete detection of suspicious applications.
-
TAKEAWAYS:
-
The script helps identify potentially malicious OAuth apps in a Microsoft 365 tenant.
-
Authentication is required via device code or Azure SDK web login.
-
Suspicious apps are flagged based on predefined threat intelligence rules.
-
Users should configure consent settings to limit unauthorized app installations.
-
The script is a helpful tool but not a definitive security solution.