search

cisagov / untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Creative Commons Zero v1.0 Universal
904 stars 77 forks source link

goosey honk, auth error: raise KeyError(key) KeyError: 'auth' #34

Closed JoeyInvictus closed 1 year ago

JoeyInvictus commented 1 year ago

🐛 Summary

When I run the 'goosey honk' command i get an "raise KeyError(key) KeyError: 'auth' " error.

To reproduce

Steps to reproduce the behavior:

  1. Follow the installation instructions
  2. goosey auth (seems to work)
  3. goosey graze
  4. In the config file set UAL to True
  5. run goosey honk (here the error seems to occure)

Expected behavior

To acquire the Unified Audit Log.

Any helpful log output or screenshots

Results of the auth command:

2023-05-09 00:32:07,013 - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:116)
2023-05-09 00:33:04,549 - auth - INFO - Device code authentication complete. (auth.py:279)
2023-05-09 00:33:08,663 - auth - INFO - Attempting to automatically auth as an user. You may have to accept MFA prompts. (auth.py:315)
2023-05-09 00:35:51,623 - auth - ERROR - Error obtaining Session ID cookie - security.microsoft.com/auditlogsearch: 'NoneType' object has no attribute 'get' (auth.py:509)
2023-05-09 00:35:51,817 - auth - ERROR - Error obtaining sccauth cookie - security.microsoft.com/auditlogsearch: 'NoneType' object has no attribute 'get' (auth.py:515)
2023-05-09 00:35:51,849 - auth - ERROR - Error obtaining XSRF-TOKEN - security.microsoft.com/auditlogsearch: 'NoneType' object has no attribute 'get' (auth.py:521)
2023-05-09 00:35:51,864 - auth - INFO - First tab: Obtained audit log cookies. (auth.py:523)
2023-05-09 00:35:51,959 - auth - INFO - Third tab: Obtained Exchange cookies. (auth.py:541)
2023-05-09 00:35:52,088 - auth - INFO - Second tab: Exchange Control Panel cookies acquired. (auth.py:569)
2023-05-09 00:36:00,776 - auth - INFO - User authentication complete. (auth.py:584)

Results of the goosey honk command:

2023-05-09 00:40:51,971 - honk - INFO - Reading in auth: .auth (honk.py:225)
2023-05-09 00:40:51,986 - honk - WARNING - Error getting section dictionary from config: No section: 'azure' (honk.py:151)
2023-05-09 00:40:51,987 - honk - WARNING - Error getting section dictionary from config: No section: 'm365' (honk.py:151)
2023-05-09 00:40:51,987 - honk - WARNING - Error getting section dictionary from config: No section: 'azuread' (honk.py:151)
2023-05-09 00:40:51,987 - honk - WARNING - Error getting section dictionary from config: No section: 'mde' (honk.py:151)
2023-05-09 00:40:51,987 - honk - DEBUG - {
  "azure": {},
  "m365": {},
  "azuread": {},
  "mde": {}
} (honk.py:182)
2023-05-09 00:40:51,987 - honk - INFO - Reading in authfile: .ugt_auth (honk.py:254)
2023-05-09 00:40:52,003 - honk - DEBUG - {
  "azure": {
    "activity_log": true
  },
  "m365": {
    "ual": true
  },
  "azuread": {},
  "mde": {}
} (honk.py:182)
2023-05-09 00:40:52,019 - honk - INFO - Goosey beginning to honk. (honk.py:275)
2023-05-09 00:40:52,019 - utils - WARNING - Missing option in config file: . Proceeding. (utils.py:232)
2023-05-09 00:40:52,036 - azure_dumper - DEBUG - Authority set to: login.microsoftonline.com (azure_dumper.py:64)
Traceback (most recent call last):
  File "C:\Users\User\AppData\Local\Programs\Python\Python39\Scripts\goosey-script.py", line 33, in <module>
    sys.exit(load_entry_point('goosey==1.2.0', 'console_scripts', 'goosey')())
  File "C:\Users\User\AppData\Local\Programs\Python\Python39\lib\site-packages\goosey\main.py", line 89, in main
    honkmain(args)
  File "C:\Users\User\AppData\Local\Programs\Python\Python39\lib\site-packages\goosey\honk.py", line 278, in main
    asyncio.run(run(args, config, auth, auth_un_pw))
  File "C:\Users\User\AppData\Local\Programs\Python\Python39\lib\asyncio\runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "C:\Users\User\AppData\Local\Programs\Python\Python39\lib\asyncio\base_events.py", line 642, in run_until_complete
    return future.result()
  File "C:\Users\User\AppData\Local\Programs\Python\Python39\lib\site-packages\goosey\honk.py", line 134, in run
    azure_dumper = AzureDataDumper(args.output_dir, args.reports_dir, maindumper.ahsession, mgmt_app_auth, config, auth_un_pw, args.debug)
  File "C:\Users\User\AppData\Local\Programs\Python\Python39\lib\site-packages\goosey\azure_dumper.py", line 87, in __init__
    self.subscription_id_list = config['auth']['subscriptionid'].split(",")
  File "C:\Users\User\AppData\Local\Programs\Python\Python39\lib\configparser.py", line 960, in __getitem__
    raise KeyError(key)
KeyError: 'auth'

The config file:


tenant=blabla
us_government=False
exo_us_government=False
subscriptionid=
m365=True

[filters]
date_start=
date_end=

[azure]
activity_log=True
alerts=False
all_azure_subscriptions=False
all_resources=False
assessments=False
bastion_logs=False
compliance=False
container_config=False
diagnostic_settings=False
file_shares=False
key_vault_log=False
network=False
nsg_flow_logs=False
portal_alerts=False
portal_defendersettings=False
portal_pcap=False
portal_sensors=False
security_center=False
storage_accounts=False
vm_config=False

[azuread]
applications=False
azuread_audit=False
azuread_provisioning=False
conditional_access=False
devices=False
directory_roles=False
groups=False
identity_provider=False
organization=False
policies=False
risk_detections=False
risky_objects=False
security=False
service_principals=False
signins_adfs=False
signins_msi=False
signins_rt=False
signins_sp=False
summaries=False
users=False

[m365]
exo_addins=False
exo_groups=False
exo_inboxrules=False
exo_mailbox=False
powershell_calls=False
ual=True

[mde]
advanced_hunting_query=False
alerts=False
indicators=False
investigations=False
library_files=False
machine_vulns=False
machines=False
recommendations=False
software=False

[msgtrc]
setemailaddress=
direction=
notifyaddress=
originalclientip=
recipientaddress=
reporttitle=
reporttype=
senderaddress=```
victoriawallace-cisa commented 1 year ago

Hello, you need to specify a subscriptionid in your config. Even if you have none, you can specify All and not include any of the Azure calls if you wanted to skip Azure calls.

victoriawallace-cisa commented 1 year ago

Also, it looks like there was a partial failure in your user authentication attempt:

2023-05-09 00:35:51,623 - auth - ERROR - Error obtaining Session ID cookie - security.microsoft.com/auditlogsearch: 'NoneType' object has no attribute 'get' (auth.py:509)
2023-05-09 00:35:51,817 - auth - ERROR - Error obtaining sccauth cookie - security.microsoft.com/auditlogsearch: 'NoneType' object has no attribute 'get' (auth.py:515)
2023-05-09 00:35:51,849 - auth - ERROR - Error obtaining XSRF-TOKEN - security.microsoft.com/auditlogsearch: 'NoneType' object has no attribute 'get' (auth.py:521)

You might want to retry auth or see if there's an issue with your portal (suggest manually navigating to security.microsoft.com/auditlogsearch to validate).

JoeyInvictus commented 1 year ago

After adding the subscriptionid it woks fine :)!