Artifacts that may be indicative of UNC2452 and other threat actor activity are detected using a PowerShell module.
- Signing Certificate with an Unusual Validity Period.
- Inconsistent Signature Certificate
- Azure Active Directory Backdoor (any.sts)
- Domains that are federated
- Domains that haven’t been confirmed.
Disclaimer: The intended use for the tool is strictly educational and should not be used for any other purposes.
Download link: https://github.com/mandiant/Mandiant-Azure-AD-Investigator