When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Use this Python utility developed by CISA to detect hacking in Microsoft cloud environments

The discovery of vulnerabilities in Microsoft's cloud environments isn't exactly uncommon (just like cloud platforms developed by other vendors). In the past, we have seen critical vulnerabilities being patched in various Azure services including Azure Container Instances (ACI), Azure Automation, and Cosmos DB. Now, the U.S. Cybersecurity and Infrastructure Agency (CISA) has recommended the use of a Python-based utility to detect vulnerabilities specifically in Microsoft cloud environments.

A laptop display with a coding IDE open and spectacles in the front
Photo by Kevin Ku

The utility in question is dubbed "Untitled Goose Tool" and is developed in collaboration with the U.S. Department of Energy's Sandia National Laboratories. Untitled Goose Tool can be useful in determine signs of hacking in various Microsoft cloud environments including Azure, Microsoft 365, and Azure Active Directory (AAD).

It leverages various sophisticated hunting queries and can be used in tandem with other Microsoft detection and analysis tools to identify signs of exploitation. Its capabilities are listed below:

  • Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
  • Query, export, and investigate AAD, M365, and Azure configurations.
  • Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
  • Perform time bounding of the UAL.
  • Extract data within those time bounds.
  • Collect and review data using similar time bounding capabilities for MDE data.

Untitled Goose Tool can be downloaded from the GitHub repository here. Along with offering detailed installation and usage instructions, CISA has also recommended that the utility should be run in virtual environments.

Source: CISA via BleepingComputer

Report a problem with article
Linus tech Tips
Next Article

Linus Tech Tips' YouTube channels were hacked due to a session hijacking attack

Windows 11 written in the middle against a red and purple background
Previous Article

Microsoft silently updates Windows 11 ReFS file system version in latest Canary build

Join the conversation!

Login or Sign Up to read and post a comment.

0 Comments - Add comment