On Thursday, CISA and Sandia National Laboratories released a new tool - Untitled Goose - to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. Among other features, Untitled Goose allows for the querying and exporting of AAD, M365, and Azure configurations for investigations.
With Active Directory (AD) arguably being the leading authentication and authorization platform, it has become a major and extremely successful attack vector for adversaries. Abusing AD misconfigurations allows adversaries to hide in plain sight and remain undetected. Once attackers have gained initial access to a system, many will quickly target AD to escalate privileges to Domain Administrator and use that elevated privilege to enumerate the network, locate valuable assets, steal data, deploy ransomware, and establish persistence. As common misconfigurations typically make this stage of an attack trivial, it is practical to periodically poke around for potentially problematic AD policies. Untitled Goose looks like a great way to proactively search AD and other Microsoft environments for mischief and misconfigs that could be damaging your defense. Members are encouraged to have system administrators consider the benefits of this tool in hunting for and investigating suspicious activity in your environment. Access more at CISA.