cisagov / untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.

Creative Commons Zero v1.0 Universal

904 stars 77 forks source link

Credentials stored in plain text in .conf #19

Closed golaat closed 1 year ago

golaat commented 1 year ago

🐛 Summary

As it stands, the username, password and client secret are all stored in plain text in the configuration file. These are sensitive values and should be protected. I'm surprised to see a tool coming from CISA employ this as a practice.

victoriawallace-cisa commented 1 year ago

Please see issue #3.

golaat commented 1 year ago

@victoriawallace-cisa It was not clear based on the abbreviation of the subject in Issue #3, which considers this a "Question/Idea". I would think having the credentials secured would be a day 1 requirement.