From 25e693ce2710b4a171d7b166091cdec93cb1329a Mon Sep 17 00:00:00 2001 From: Sean Geoghegan Date: Sat, 15 Jul 2023 17:04:58 -0400 Subject: [PATCH 1/4] Updated PWNCheck --- Hawk/functions/User/Get-HawkUserPWNCheck.ps1 | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Hawk/functions/User/Get-HawkUserPWNCheck.ps1 b/Hawk/functions/User/Get-HawkUserPWNCheck.ps1 index 8e2e05d..26fe943 100644 --- a/Hawk/functions/User/Get-HawkUserPWNCheck.ps1 +++ b/Hawk/functions/User/Get-HawkUserPWNCheck.ps1 @@ -27,7 +27,7 @@ HaveIBeenPwned.com now requires an API access key to gather Stats with from their API. - Please purchase an API key for $3.50 a month from get a Free access key from https://haveibeenpwned.com/API/Key and provide it below. + Please purchase an API key for `$3.50 a month from get a Free access key from https://haveibeenpwned.com/API/Key and provide it below. " @@ -35,13 +35,18 @@ $hibpkey = Read-Host "haveibeenpwned.com apikey" } + #check for Email passed into cmdlet + if ($null -eq $email){ + $email = Read-Host "Please enter the SMTP Address of the user account you are investigating." + } + # Verify our UPN input [array]$UserArray = Test-UserObject -ToTest $Email $headers=@{'hibp-api-key' = $hibpkey} foreach ($Object in $UserArray) { - $[string]$User = $Object.UserPrincipalName + [string]$User = $Object.UserPrincipalName # Convert the email to URL encoding $uriEncodeEmail = [uri]::EscapeDataString($($user)) From 69e0d6a3e99b45d0e6298e8ae8b9e3c332718948 Mon Sep 17 00:00:00 2001 From: Sean Geoghegan Date: Sat, 15 Jul 2023 17:20:49 -0400 Subject: [PATCH 2/4] Added variable aliases --- Hawk/functions/User/Get-HawkUserPWNCheck.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Hawk/functions/User/Get-HawkUserPWNCheck.ps1 b/Hawk/functions/User/Get-HawkUserPWNCheck.ps1 index 26fe943..afebcef 100644 --- a/Hawk/functions/User/Get-HawkUserPWNCheck.ps1 +++ b/Hawk/functions/User/Get-HawkUserPWNCheck.ps1 @@ -18,7 +18,7 @@ Returns the pwn state of the email address provided #> - param([array]$Email) + param([Alias("User","UPN")][array]$Email) # if there is no value of hibpkey then we need to get it from the user if ($null -eq $hibpkey) { From f3c7f566f2da0e5d1cc4139f1700a538b1427006 Mon Sep 17 00:00:00 2001 From: Sean Geoghegan Date: Mon, 17 Jul 2023 10:54:51 -0400 Subject: [PATCH 3/4] commit to test issue with EXO Log Generation --- Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 b/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 index c084318..f244c75 100644 --- a/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 +++ b/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 @@ -148,6 +148,8 @@ Function Search-HawkTenantEXOAuditLog { # Get the user object modified $user = ($Change.CmdletParameters | Where-Object ($_.name -eq "Identity")).value + ####STUB + $user # Check the ForwardingSMTPAddresses first if ([string]::IsNullOrEmpty(($Change.CmdletParameters | Where-Object { $_.name -eq "ForwardingSMTPAddress" }).value)) { } @@ -161,7 +163,7 @@ Function Search-HawkTenantEXOAuditLog { else { # Here we get back a recipient object in EXO not an SMTP address # So we need to go track down the recipient object - $recipient = Get-EXORecipient (($Change.CmdletParameters | Where-Object { $_.name -eq "ForwardingAddress" }).value) -ErrorAction SilentlyContinue + $recipient = Get-Recipient (($Change.CmdletParameters | Where-Object { $_.name -eq "ForwardingAddress" }).value) -ErrorAction SilentlyContinue # If we can't resolve the recipient we need to log that if ($null -eq $recipient) { @@ -170,6 +172,7 @@ Function Search-HawkTenantEXOAuditLog { # If we can resolve it then we need to push the address the mail was being set to into $output else { # Determine the type of recipient and handle as needed to get out the SMTP address + Write-Host $recipient.RecipientType Switch ($recipient.RecipientType) { # For mailcontact we needed the external email address MailContact { From ac3f3664c3ef9f96fdeff71437c60e386857fd82 Mon Sep 17 00:00:00 2001 From: Sean Geoghegan Date: Mon, 17 Jul 2023 23:13:33 -0400 Subject: [PATCH 4/4] Improved Logic for 250k events. Fixed Null results --- .../Tenant/Search-HawkTenantEXOAuditLog.ps1 | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 b/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 index f244c75..676c74f 100644 --- a/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 +++ b/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 @@ -1,5 +1,5 @@ Function Search-HawkTenantEXOAuditLog { -<# + <# .SYNOPSIS Searches the admin audit logs for possible bad actor activities .DESCRIPTION @@ -85,7 +85,7 @@ Function Search-HawkTenantEXOAuditLog { # Search for the creation of ANY inbox rules Out-LogFile "Searching for ALL Inbox Rules Created in the Shell" -action - [array]$TenantInboxRules = Search-AdminAuditLog -Cmdlets New-InboxRule -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate + [array]$TenantInboxRules = Search-AdminAuditLog -Cmdlets New-InboxRule -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -ResultSize 250000 # If we found anything report it and log it if ($TenantInboxRules.count -gt 0) { @@ -97,7 +97,7 @@ Function Search-HawkTenantEXOAuditLog { # Search for the Modification of ANY inbox rules Out-LogFile "Searching for ALL Inbox Rules Modified in the Shell" -action - [array]$TenantSetInboxRules = Search-AdminAuditLog -Cmdlets Set-InboxRule -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate + [array]$TenantSetInboxRules = Search-AdminAuditLog -Cmdlets Set-InboxRule -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -ResultSize 250000 # If we found anything report it and log it if ($TenantSetInboxRules.count -gt 0) { @@ -109,7 +109,7 @@ Function Search-HawkTenantEXOAuditLog { # Search for the Modification of ANY inbox rules Out-LogFile "Searching for ALL Inbox Rules Removed in the Shell" -action - [array]$TenantRemoveInboxRules = Search-AdminAuditLog -Cmdlets Remove-InboxRule -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate + [array]$TenantRemoveInboxRules = Search-AdminAuditLog -Cmdlets Remove-InboxRule -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -ResultSize 250000 # If we found anything report it and log it if ($TenantRemoveInboxRules.count -gt 0) { @@ -121,7 +121,7 @@ Function Search-HawkTenantEXOAuditLog { # Searching for interesting inbox rules Out-LogFile "Searching for Interesting Inbox Rules Created in the Shell" -action - [array]$InvestigateInboxRules = Search-AdminAuditLog -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -cmdlets New-InboxRule -Parameters ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage + [array]$InvestigateInboxRules = Search-AdminAuditLog -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -cmdlets New-InboxRule -Parameters ForwardTo, ForwardAsAttachmentTo, RedirectTo, DeleteMessage -ResultSize 250000 # if we found a rule report it and output it to the _Investigate files if ($InvestigateInboxRules.count -gt 0) { @@ -132,7 +132,7 @@ Function Search-HawkTenantEXOAuditLog { # Look for changes to user forwarding Out-LogFile "Searching for user Forwarding Changes" -action - [array]$TenantForwardingChanges = Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ForwardingAddress, ForwardingSMTPAddress -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate + [array]$TenantForwardingChanges = Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ForwardingAddress, ForwardingSMTPAddress -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -ResultSize 250000 if ($TenantForwardingChanges.count -gt 0) { Out-LogFile ("Found " + $TenantForwardingChanges.count + " Change(s) to user Email Forwarding") -notice @@ -147,9 +147,7 @@ Function Search-HawkTenantEXOAuditLog { Foreach ($Change in $TenantForwardingChanges) { # Get the user object modified - $user = ($Change.CmdletParameters | Where-Object ($_.name -eq "Identity")).value - ####STUB - $user + $user = ($Change.CmdletParameters | Where-Object { $_.name -eq "Identity" }).value # Check the ForwardingSMTPAddresses first if ([string]::IsNullOrEmpty(($Change.CmdletParameters | Where-Object { $_.name -eq "ForwardingSMTPAddress" }).value)) { } @@ -172,17 +170,17 @@ Function Search-HawkTenantEXOAuditLog { # If we can resolve it then we need to push the address the mail was being set to into $output else { # Determine the type of recipient and handle as needed to get out the SMTP address - Write-Host $recipient.RecipientType Switch ($recipient.RecipientType) { # For mailcontact we needed the external email address MailContact { - [array]$Output += $recipient | Select-Object -Property @{Name = "UserModified"; Expression = { $user } }; @{Name = "TargetSMTPAddress"; Expression = { $_.ExternalEmailAddress.split(":")[1] } } + [array]$Output += $recipient | Select-Object -Property @{Name = "UserModified"; Expression = { $user } }, @{Name = "TargetSMTPAddress"; Expression = { $_.ExternalEmailAddress.split(":")[1] } } } # For all others I believe primary will work Default { - [array]$Output += $recipient | Select-Object -Property @{Name = "UserModified"; Expression = { $user } }; @{Name = "TargetSMTPAddress"; Expression = { $_.PrimarySmtpAddress } } + [array]$Output += $recipient | Select-Object -Property @{Name = "UserModified"; Expression = { $user } }, @{Name = "TargetSMTPAddress"; Expression = { $_.PrimarySmtpAddress } } } } + $recipient.RecipientType } } } @@ -195,7 +193,7 @@ Function Search-HawkTenantEXOAuditLog { # Look for changes to mailbox permissions Out-LogFile "Searching for Mailbox Permissions Changes" -Action - [array]$TenantMailboxPermissionChanges = Search-AdminAuditLog -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -cmdlets Add-MailboxPermission + [array]$TenantMailboxPermissionChanges = Search-AdminAuditLog -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -cmdlets Add-MailboxPermission -ResultSize 250000 if ($TenantMailboxPermissionChanges.count -gt 0) { Out-LogFile ("Found " + $TenantMailboxPermissionChanges.count + " changes to mailbox permissions")