New CISA tool detects hacking activity in Microsoft cloud services

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has released a new open-source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments.

Known as the 'Untitled Goose Tool' and developed in collaboration with Sandia, a U.S. Department of Energy national laboratory, this Python-based utility can dump telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments.

"Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer's Azure Active Directory (AzureAD), Azure, and M365 environments," CISA says.

"Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT)."

With the help of CISA's cross-platform Microsoft cloud interrogation and analysis tool, security experts and network admins can:

Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity. Query, export, and investigate AAD, M365, and Azure configurations. Extract cloud artifacts from Microsoft's AAD, Azure, and M365 environments without performing additional analytics.  Perform time bounding of the UAL. Extract data within those time bounds.  Collect and review data using similar time-bounding capabilities for MDE data.

Earlier this month, CISA released an open-source tool called 'Decider' to help defenders generate MITRE ATT&CK mapping reports to adjust their security posture based on adversaries' tactics and techniques.

Decider was released after publishing a "best practices" guide about MITRE ATT&CK mapping in January, highlighting the importance of using the standard.

It also announced that starting January 2023, it warns critical infrastructure entities of Internet-exposed systems vulnerable to ransomware attacks.

"Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, as well as the education community," CISA revealed today.

This followed the launch of a new partnership in August 2021 to protect U.S. critical infrastructure from ransomware and other cyber threats, known as the Joint Cyber Defense Collaborative (JCDC).

The cybersecurity agency previously released in June 2021 a new module for its Cyber Security Evaluation Tool (CSET) known as Ransomware Readiness Assessment (RRA) to help organizations assess their readiness to prevent and recover from ransomware attacks.

Two months later, it published guidance to help at-risk private sector and government organizations prevent data breaches resulting from ransomware attacks.