You are currently viewing Mandiant-Azure-AD-Investigator


Artifacts that may be indicative of UNC2452 and other threat actor activity are detected using a PowerShell module.


  1. Signing Certificate with an Unusual Validity Period.
  2. Inconsistent Signature Certificate
  3. Azure Active Directory Backdoor (any.sts)
  4. Domains that are federated
  5. Domains that haven’t been confirmed.

Disclaimer: The intended use for the tool is strictly educational and should not be used for any other purposes.

Download link:

Leave a Reply