For a subset of compromised accounts, the attackers used AzureHound and ROADtools, two open-source frameworks that can be used to conduct reconnaissance in Microsoft Entra ID (formerly Azure Active Directory) environments by interacting with the Microsoft Graph and REST APIs with the goal of exfiltrating data of interest from a victim’s cloud account.
“AzureHound and Roadtools have functionality that is used by defenders, red teams, and adversaries,” Microsoft said in its report. “The same features that make these tools useful to legitimate users, like pre-built capabilities to explore and seamlessly dump data in a single database, also make these tools attractive options for adversaries seeking information about or from a target’s environment.”
To achieve persistence, the attackers set up new Azure subscriptions on victims’ tenants, which were used to establish command-and-control communication with infrastructure operated by the group. They also installed the Azure Arc client on devices in compromised environments and connected it to an Azure subscription they controlled, giving them remote control capabilities over those devices. Azure Arc is a capability that allows the remote management of Windows and Linux systems in an Azure AD environment.
Other post-compromise tools and techniques
After achieving persistence, the Peach Sandstorm attackers deployed a variety of publicly available and custom tools, including AnyDesk, a commercial remote monitoring and management (RMM) tool, and EagleRelay, a custom traffic tunneling tool that the attackers deployed on newly created virtual machines in victim environments.
Other techniques employed by the group include abuse of the remote desktop protocol (RDP), executing malicious code by performing DLL hijacking with a legitimate VMWare executable and launching a Golden SAML attack.
“In a Golden SAML attack, an adversary steals private keys from a target’s on-premises Active Directory Federated Services (AD FS) server and uses the stolen keys to mint a SAML token trusted by a target’s Microsoft 365 environment,” Microsoft said. “If successful, a threat actor could bypass AD FS authentication and access federated services as any user.”