The discovery of vulnerabilities in Microsoft's cloud environments isn't exactly uncommon (just like cloud platforms developed by other vendors). In the past, we have seen critical vulnerabilities being patched in various Azure services including Azure Container Instances (ACI), Azure Automation, and Cosmos DB. Now, the U.S. Cybersecurity and Infrastructure Agency (CISA) has recommended the use of a Python-based utility to detect vulnerabilities specifically in Microsoft cloud environments.
The utility in question is dubbed "Untitled Goose Tool" and is developed in collaboration with the U.S. Department of Energy's Sandia National Laboratories. Untitled Goose Tool can be useful in determine signs of hacking in various Microsoft cloud environments including Azure, Microsoft 365, and Azure Active Directory (AAD).
It leverages various sophisticated hunting queries and can be used in tandem with other Microsoft detection and analysis tools to identify signs of exploitation. Its capabilities are listed below:
- Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
- Query, export, and investigate AAD, M365, and Azure configurations.
- Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
- Perform time bounding of the UAL.
- Extract data within those time bounds.
- Collect and review data using similar time bounding capabilities for MDE data.
Untitled Goose Tool can be downloaded from the GitHub repository here. Along with offering detailed installation and usage instructions, CISA has also recommended that the utility should be run in virtual environments.
Source: CISA via BleepingComputer