search

cisagov / untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Creative Commons Zero v1.0 Universal
904 stars 77 forks source link

goosey honk command generates no ADFS logs and no explicit debug messages #68

Open A4M5 opened 2 weeks ago

A4M5 commented 2 weeks ago

🐛 Summary

At my company, I wanted to use latest version of UntitledGooseTool but the goosey honk command does not return any ADFS logs.

To reproduce

Version used : 2.0.2. OS : Red Hat Entreprise Linux release 9.4 (Plow)

Dockerfile :

FROM python:3.12-slim

# proxy organization
ENV https_proxy=http://<my-proxy>:<my-proxy-password>@<proxy-domain.com>:8090
ENV http_proxy=http://<my-proxy>:<my-proxy-password>@<proxy-domain.com>:8090

RUN apt-get update

# create the necessary directories
RUN mkdir -p /ugt/goosey /workdir /workdir/output /workdir/reports /workdir/output/azure /workdir/output/m365 /workdir/output/entraid /workdir/output/mde

# install
COPY setup.py requirements.txt /ugt
COPY goosey /ugt/goosey
WORKDIR /ugt
RUN pip install .

WORKDIR /workdir

# generate .auth + .conf files
RUN goosey conf

# add Tenant ID in .conf file
RUN sed -i 's/^tenant=.*$/tenant=<my-tenant-id>/' /workdir/.conf

# replace empty .auth file
RUN echo "[auth]\nusername=<my-username>\npassword=<my-password>\nappid=<my-app-id>\nclientsecret=<my-client-secret>" > /workdir/.auth

# auth
RUN goosey auth --debug --insecure

Build this Dockerfile :

docker build . -t goosey

Run goosey honk --debug --entraid command :

docker run -it goosey goosey honk --debug --entraid
2024-09-04 13:02:29,128 - None - DEBUG - {
  "azure": {},
  "m365": {},
  "entraid": {
    "configs": true,
    "entraid_audit": true,
    "entraid_provisioning": true,
    "risk_detections": true,
    "risky_objects": true,
    "security": true,
    "signins_adfs": true,
    "signins_msi": true,
    "signins_rt": true,
    "signins_sp": true
  },
  "mde": {}
} (honk.py:157)
2024-09-04 13:02:29,128 - None - INFO - Goosey beginning to honk. (honk.py:204)
2024-09-04 13:02:29,130 - None - INFO - Goosey executed in 0.00 seconds. (honk.py:211)

And nothing has been generated, no ADFS log available.

Thank you in advance for solving this problem and obtaining the ADFS logs.

I remain available if you need more information.

nkantor-snl commented 2 days ago

Hi @A4M5. Sorry to hear about that issue. Lets see if we can figure it out. I see that you have modified the Dockerfile to pipe in the .auth and .conf files. I definitely recommend doing all of that with a volume mounted into the docker container. The README references doing that for the honk command, but you can do that for the conf and auth commands as well. e.g.

docker run -it -v $PWD:/workdir goosey goosey conf --config_tenant=5fd146ad-8b31-4afa-a72f-6f71df5c7173 --config_subscriptionid=all --auth_appid=24fd6377-79e0-445d-838b-3eaa60d3ca21 --auth_clientsecret=9gh8Q~U7Sd.TRNad5Qpd_GL_UM1slEPJTOLyGt-_

and

docker run -it -v $PWD:/workdir goosey goosey auth --debug

That way all of the generated conf, auth, and output files get created in your current working directory. I'll make sure to update the README to reference that those commands can be run like that as well. Are you able to try doing it this way and check if any logs from entraid get created? In the meantime I can try and replicate what you are seeing (or not seeing) by putting everything in the container through the Dockerfile and see if I am experiencing the same issue.