Skip to content

dmb2168/OAuthHunting

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 

Repository files navigation

OAuthHunting

By Doug Bienstock (@doughsec)

A collection of scripts to help administrators hunt for malicious OAuth applications in cloud environments. Looks for granting of suspicious scopes, frequency of grants, and hopefully a whitelist/blacklist as time goes on.

Scripts

get-suspiciousoauth.ps1

Requires to be run as an Office 365 Global Admin. Queries the tenant for all OAuthPermission grants and filters them for suspicious entries.

Arguments

-All returns All OAuthPermissionGrants

-Scopes A comma separated list of suspicious scopes to look for. Defaults to "offline_access"

-Threshold The number of grants in a tenant below which an application is considered suspicious. This is filtered as an OR condition with the scopes parameter.

-Output Outputs results to CSV

-OutputPath Where to write the CSV

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published