Connect with us

Hi, what are you looking for?


Cloud Security

CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections

The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments.

Microsoft addresses Cobalt Strike abuse

The U.S. government’s cybersecurity agency CISA has jumped into the fray to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments.

The agency rolled out a free hunt and incident response utility called Untitled Goose Tool that offers novel authentication and data gathering methods to manage a full investigation against enterprise deployments of Microsoft Azure, Azure Active Directory (AAD) and Microsoft 365 (M365).

In a note documenting the release, CISA said the Untitled Goose Tool can also gather additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

The agency said Untitled Goose Tool was developed in tandem with researchers at Sandia National Laboratories to detect potentially malicious activity in Microsoft’s growing cloud ecosystem.  

Azure network defenders can use the tool to export and review sign-in audit logs and activity alerts from a range of Azure and Microsoft Defender environments to pinpoint signs of suspicious activity.

The tool can also be used to query, export, and investigate Azure Active Directory, M365, and Azure configurations. 

According to CISA, defenders can ingest the JSON results from Untitled Goose Tool into a Security Information and Event Management (SIEM) product, web browser, text editor, or a database.

Advertisement. Scroll to continue reading.

“Network defenders attempting to interrogate a large M365 tenant via the UAL may find that manually gathering all events at once is not feasible,” CISA said, noting that its Untitled Goose Tool comes with “novel data gathering methods via bespoke mechanisms.” 

The agency said cloud network administrators can use the tool to extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.

According to CloudVulnDB, an open project tracking vulnerabilities affecting major cloud providers, there’s a long list of major security issues haunting Redmond’s flagship Azure and defenders have long complained about the lack of visibility into potential infections.

Microsoft has scrambled to mitigate several major security flaws affecting Azure, including code execution and cross-tenant data access issues.  Some of the major issues include ChaosDB (exposed Azure customers’ database), SynLapse (impacted multiple Azure tenants), Azurescape (code execution and data access risks) and ExtraReplica (a collection of Azure bugs that exposed tenant databases).

Related: Microsoft Azure Vulnerability Allowed Code Execution

Related: Gem Security Gets $11M Seed Funding for Cloud Incident Response Platform 

Related: Critical Vulnerabilities in Azure PostgreSQL Exposed User Databases

Related: New Database Catalogs Cloud Vulnerabilities, Security Issues

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...