cisagov / untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Creative Commons Zero v1.0 Universal
912 stars 79 forks source link

REST API instead of Selenium scraping? #40

Closed jmacdone closed 1 year ago

jmacdone commented 1 year ago

đź’ˇ Summary

I'd like to see the requirement for an exchange admin user dropped in favor of a service principal

Motivation and context

I thought it was odd to require both interactive credentials and an app registration. I'd prefer to setup just the app registration. Additionally, screen scraping is known to be brittle. The REST interface should be less so.

Implementation notes

https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984335(v=office.15)#fields

At a glance, messagetrace.py would updated to call something like

#this will probably need some urllib.parse.urlencode() too
f"""https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate eq datetime'{date_90_days_ago}' and EndDate eq datetime'{datetime_now}''"""

This messagetrace.py just happened to be the first instance of selenium I saw. There could be others.

Acceptance criteria

API permission requirements are updated to include ReportingWebService.Read.All and the ['auth']['username'] and ['auth']['password'] config requirements are removed.

victoriawallace-cisa commented 1 year ago

Hello, so the username and password isn't just used for the message trace call. There are many calls that depend on cookies that are grabbed using selenium. The reason we used selenium was because the official REST API didn't return the information we needed.

victoriawallace-cisa commented 1 year ago

Also, please feel free to submit a pull request, we always welcome them!