May 28, 2022


Artifacts that may be indicative of UNC2452 and other threat actor activity are detected using a PowerShell module.


  1. Signing Certificate with an Unusual Validity Period.
  2. Inconsistent Signature Certificate
  3. Azure Active Directory Backdoor (any.sts)
  4. Domains that are federated
  5. Domains that haven’t been confirmed.

Disclaimer: The intended use for the tool is strictly educational and should not be used for any other purposes.

Download link:

Leave a Reply

Your email address will not be published.