A new tool issued by the Cybersecurity and Infrastructure Security Agency aims to support network defenders with detecting malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 environments.
CISA developed the Untitled Goose Tool with support from Sandia National Laboratories. Goose allows novel authentication and data-gathering methods able to support threat detection and analysis of Microsoft cloud services.
“Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory, Azure, and M365 environments,” CISA wrote.
Network defenders will need to leverage Python 3.7, 3.8, or 3.9 to run the tool, and CISA recommends using Goose within a virtual environment.
The release follows several vulnerability disclosures found in certain Azure services, including a prevalent web security flaw found in cloud environments that could allow Server-Side Request Forgery (SSRF). Disclosed in January, the exploit could be performed without an Azure account.
Meanwhile, a cross-site request forgery vulnerability in a software management tool reported in January impacts multiple Microsoft Azure cloud services and could enable an attacker to take over an application and remotely execute code. The bug is the result of manipulating misconfigurations and security bypasses in Kudu, a back-end source control management tool.
“Identity Attack Paths, where an attacker abuses legitimate user credentials and privileges to move laterally or escalate privilege until they reach their target, are a significant issue in many Azure deployments,” Andy Robbins, principal product architect at SpecterOps, previously explained in an SC Media primer.
These vulnerabilities can enable an attacker to exfiltrate data or launch malware, while being simultaneously difficult to detect and stop, as these attack methods rely on the abuse of legitimate functions and credentials, Robbins explained.
What’s more, “Azure Attack Paths are more difficult to secure and manage than on-premises Attack Paths because identities in Azure are a lot more complicated,” he added. "The connections in Active Directory," for example, “are often poorly understood and offer many opportunities for attackers.”
The Untitled Goose Tool could detect instances of exploit and support remediation.
Upon detection of suspicious activity, security leaders can use the tool to export and review AAD sign-in and audit logs, M365 unified audit log, activity logs, and alerts from Microsoft Defender for IoT and Endpoint data, as well as query, export, and investigate relevant configurations.
Further, the tool can extract cloud artifacts from related services without the need to perform additional analytics, extract data within certain time frames, and collect and review data tied to time bounding capabilities.
CISA urges network defenders to review the Untitled Goose Tool fact sheet, before beginning with the GitHub repository to understand its function. The insights include permissions requirements to ensure the tool only has read-only access and precise means for effective use of the tool. There’s also an important section on known issues to support troubleshooting.