Artifacts that may be indicative of UNC2452 and other threat actor activity are detected using a PowerShell module.

Features:

  1. Signing Certificate with an Unusual Validity Period.
  2. Inconsistent Signature Certificate
  3. Azure Active Directory Backdoor (any.sts)
  4. Domains that are federated
  5. Domains that haven’t been confirmed.

Disclaimer: The intended use for the tool is strictly educational and should not be used for any other purposes.

Download link: https://github.com/mandiant/Mandiant-Azure-AD-Investigator

This site is under maintenance,
some features might not work!!!