-
Notifications
You must be signed in to change notification settings - Fork 114
/
Copy pathInspect-Federation.ps1
49 lines (31 loc) · 1.41 KB
/
Inspect-Federation.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
$ErrorActionPreference = "Stop"
$errorHandling = "$((Get-Item $PSScriptRoot).Parent.FullName)\Write-ErrorLog.ps1"
. $errorHandling
$path = @($out_path)
Function Inspect-Federation{
Try {
$federatedConfig = Get-FederatedOrganizationIdentifier -IncludeExtendedDomainInfo
$federatedConfig | Out-File "$path\FederatedConfiguration.txt"
}
Catch {
Write-Warning "Error message: $_"
$message = $_.ToString()
$exception = $_.Exception
$strace = $_.ScriptStackTrace
$failingline = $_.InvocationInfo.Line
$positionmsg = $_.InvocationInfo.PositionMessage
$pscommandpath = $_.InvocationInfo.PSCommandPath
$failinglinenumber = $_.InvocationInfo.ScriptLineNumber
$scriptname = $_.InvocationInfo.ScriptName
Write-Verbose "Write to log"
Write-ErrorLog -message $message -exception $exception -scriptname $scriptname -failinglinenumber $failinglinenumber -failingline $failingline -pscommandpath $pscommandpath -positionmsg $pscommandpath -stacktrace $strace
Write-Verbose "Errors written to log"
}
}
Inspect-Federation
<#
INVESTIGATIVE TIPS:
- Review existing Federations. Identify unauthorized or unrecognized Federations then revoke them.
- Threat actors can create unauthorized federations and use them to log into your tenant and perform actions. The user accounts used to do this will not appear in your directory, thereby allowing the threat actor to persist longer.
- NOTE: This is a known SUNBURST TTP."
#>