Merge pull request T0pCyber#88 from T0pCyber/Development

T0pCyber · web-flow · commit 962055777bec · 2022-04-09T18:30:02.000-04:00
Development
diff --git a/Hawk/Hawk.psd1 b/Hawk/Hawk.psd1
@@ -3,7 +3,7 @@
 	RootModule = 'Hawk.psm1'
 
 	# Version number of this module.
-	ModuleVersion = '2.0.3.2'
+	ModuleVersion = '3.0.0'
 
 	# ID used to uniquely identify this module
 	GUID = '1f6b6b91-79c4-4edf-83a1-66d2dc8c3d85'
@@ -15,7 +15,7 @@
 	CompanyName = 'Cloud Forensicator'
 
 	# Copyright statement for this module
-	Copyright = 'Copyright (c) 2020 Paul Navarro'
+	Copyright = 'Copyright (c) 2022 Paul Navarro'
 
 	# Description of the functionality provided by this module
 	Description = 'Microsoft 365 Incident Response and Threat Hunting PowerShell tool.
diff --git a/Hawk/Hawk.psm1 b/Hawk/Hawk.psm1
@@ -18,33 +18,33 @@ $importIndividualFiles = Get-PSFConfigValue -FullName Hawk.Import.IndividualFile
 if ($Hawk_importIndividualFiles) { $importIndividualFiles = $true }
 if (Test-Path (Resolve-PSFPath -Path "$($script:ModuleRoot)\..\.git" -SingleItem -NewChild)) { $importIndividualFiles = $true }
 if ("<was not compiled>" -eq '<was not compiled>') { $importIndividualFiles = $true }
-	
+
 function Import-ModuleFile
 {
 	<#
 		.SYNOPSIS
 			Loads files into the module on module import.
-		
+
 		.DESCRIPTION
 			This helper function is used during module initialization.
 			It should always be dotsourced itself, in order to proper function.
-			
+
 			This provides a central location to react to files being imported, if later desired
-		
+
 		.PARAMETER Path
 			The path to the file to load
-		
+
 		.EXAMPLE
 			PS C:\> . Import-ModuleFile -File $function.FullName
-	
+
 			Imports the file stored in $function according to import policy
 	#>
 	[CmdletBinding()]
 	Param (
 		[string]
 		$Path
 	)
-	
+
 	$resolvedPath = $ExecutionContext.SessionState.Path.GetResolvedPSPathFromPSPath($Path).ProviderPath
 	if ($doDotSource) { . $resolvedPath }
 	else { $ExecutionContext.InvokeCommand.InvokeScript($false, ([scriptblock]::Create([io.file]::ReadAllText($resolvedPath))), $null, $null) }
@@ -57,24 +57,24 @@ if ($importIndividualFiles)
 	foreach ($path in (& "$ModuleRoot\internal\scripts\preimport.ps1")) {
 		. Import-ModuleFile -Path $path
 	}
-	
+
 	# Import all internal functions
 	foreach ($function in (Get-ChildItem "$ModuleRoot\internal\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
 	{
 		. Import-ModuleFile -Path $function.FullName
 	}
-	
+
 	# Import all public functions
 	foreach ($function in (Get-ChildItem "$ModuleRoot\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
 	{
 		. Import-ModuleFile -Path $function.FullName
 	}
-	
+
 	# Execute Postimport actions
 	foreach ($path in (& "$ModuleRoot\internal\scripts\postimport.ps1")) {
 		. Import-ModuleFile -Path $path
 	}
-	
+
 	# End it here, do not load compiled code below
 	return
 }
diff --git a/Hawk/changelog.md b/Hawk/changelog.md
@@ -18,4 +18,12 @@ seeking alternate solution to retrieve Azure AD Sign-in logs.
 - Added dependency of Exchange Online Management V2 PowerShell module and updated functions to reflect
 
 ## 2.0.3.1 (2021-05-05)
-- Fixed MSOnline Requirement to manifest
+- Fixed MSOnline Requirement to manifest
+
+## 3.0.0 (2022-04-09)
+- Updated community pull requests
+a. Encoding to UTF8 - Enhancement - TakayukiTomatsuri
+b. Updated $RangeEnd to datetime - Bug - cfc-zcarter
+c. Updated Sweep variable - Bug
+d. Added Default Tenant Name to Hawk folder name - Issue#86 - Enhancement - Snickasaurus
+e. Updated Get-HawkTenantEXOAdmins to accurately list admins that is a group
diff --git a/Hawk/functions/Tenant/Get-HawkTenantAZAdmins.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAZAdmins.ps1
@@ -15,6 +15,10 @@
 .NOTES
 #>
 BEGIN{
+    #Initializing Hawk Object if not present
+    if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+        Initialize-HawkGlobalObject
+    }
     Out-LogFile "Gathering Azure AD Administrators"
 
     Test-AzureADConnection
diff --git a/Hawk/functions/Tenant/Get-HawkTenantAppAndSPNCredentialDetails.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAppAndSPNCredentialDetails.ps1
@@ -19,8 +19,12 @@
 .NOTES
 #>
 BEGIN{
+    #Initializing Hawk Object if not present
+    if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+		Initialize-HawkGlobalObject
+	}
     Test-AzureADConnection
-    
+
     Out-LogFile "Collecting Azure AD Service Principals"
     $spns = get-azureadserviceprincipal -all $true | Sort-Object -Property DisplayName
     Out-LogFile "Collecting Azure AD Registered Applications"
diff --git a/Hawk/functions/Tenant/Get-HawkTenantAzureADUsers.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAzureADUsers.ps1
@@ -16,6 +16,10 @@
 .NOTES
 #>
 BEGIN{
+    #Initializing Hawk Object if not present
+    if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+		Initialize-HawkGlobalObject
+	}
     Out-LogFile "Gathering Azure AD Users"
 
     Test-AzureADConnection
diff --git a/Hawk/functions/Tenant/Get-HawkTenantEXOAdmins.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEXOAdmins.ps1
@@ -26,7 +26,7 @@ PROCESS{
                 if([string]::IsNullOrWhiteSpace($admin.WindowsLiveId)){
                     [PSCustomObject]@{
                         ExchangeAdminGroup = $Role.Name
-                        Members= $admin.name
+                        Members= $admin.DisplayName
                         RecipientType = $admin.RecipientType
                     }
                 }
diff --git a/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 b/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1
@@ -221,7 +221,7 @@
     }
 
     if ($Output.count -gt 1) {
-        Out-LogFile ("Found " + $Output.cout + " Users/Groups with Impersonation rights.  Default is 1") -notice
+        Out-LogFile ("Found " + $Output.count + " Users/Groups with Impersonation rights.  Default is 1") -notice
         $Output | Out-MultipleFileType -fileprefix "Impersonation_Rights" -csv -xml
         $Output | Out-MultipleFileType -fileprefix "_Investigate_Impersonation_Rights" -csv -xml -Notice
     }
diff --git a/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1 b/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1
@@ -19,6 +19,9 @@
 
 R	uns all of the tenant investigation cmdlets.
 #>
+	if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+		Initialize-HawkGlobalObject
+	}
 
 	Out-LogFile "Starting Tenant Sweep" -action
 	Send-AIEvent -Event "CmdRun"
diff --git a/Hawk/functions/User/Get-HawkUserInboxRule.ps1 b/Hawk/functions/User/Get-HawkUserInboxRule.ps1
@@ -70,10 +70,22 @@ Function Get-HawkUserInboxRule {
                 # If we have set the Investigate flag then report it and output it to a seperate file
                 if ($Investigate -eq $true) {
                     Out-LogFile ("Possible Investigate inbox rule found ID:" + $Rule.Identity + " Rule:" + $Rule.Name) -notice
+					# Description is multiline
+					$Rule.Description = $Rule.Description.replace("`r`n", " ").replace("`t", "")
                     $Rule | Out-MultipleFileType -FilePreFix "_Investigate_InboxRules" -user $user -csv -append -Notice
                 }
             }
 
+			# Description is multiline
+			$inboxrulesRawDescription = $InboxRules
+			$InboxRules = New-Object -TypeName "System.Collections.ArrayList"
+
+			$inboxrulesRawDescription | ForEach-Object {
+				$_.Description = $_.Description.Replace("`r`n", " ").replace("`t", "")
+
+				$null = $InboxRules.Add($_)
+			}
+
             # Output all of the inbox rules to a generic csv
             $InboxRules | Out-MultipleFileType -FilePreFix "InboxRules" -User $user -csv
 
@@ -86,7 +98,7 @@ Function Get-HawkUserInboxRule {
         Out-LogFile ("Gathering Sweep Rules: " + $User) -action
         $SweepRules = Get-SweepRule -Mailbox $User
 
-        if ($null -eq $SweeRules) { Out-LogFile "No Sweep Rules found" }
+        if ($null -eq $SweepRules) { Out-LogFile "No Sweep Rules found" }
         else {
 
             # Output all rules to a user CSV
diff --git a/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 b/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1
@@ -52,9 +52,8 @@
 
         do {
             # Get the end of the Range we are going to gather data for
-            [string]$RangeEnd =[datetime]::parse($RangeStart, [CultureInfo]::CreateSpecificCulture("en-US")).AddDays(5).toString("MM/dd/yyyy")
-
-            # Do the actual search
+            [datetime] $RangeEnd = ($RangeStart.AddDays(5))
+                        # Do the actual search
             Out-LogFile ("Searching Range " + [string]$RangeStart + " To " + [string]$RangeEnd)
             [array]$Results += Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -identity $User -ShowDetails -ResultSize 250000
 
diff --git a/Hawk/internal/functions/Get-SimpleAdminAuditLog.ps1 b/Hawk/internal/functions/Get-SimpleAdminAuditLog.ps1
@@ -26,7 +26,7 @@ Function Get-SimpleAdminAuditLog {
         $SearchResults
     )
 
-    # Setup to process incomming results
+    # Setup to process incoming results
     Begin {
 
         # Make sure the array is null
@@ -50,7 +50,7 @@ Function Get-SimpleAdminAuditLog {
             if ([string]::IsNullOrEmpty($user)) { $user = "***" }
 
             # if we have 'on behalf of' then we need to do some more processing to get the right value
-            elseif ($_.caller -like "*on ehalf of*") {
+            elseif ($_.caller -like "*on behalf of*") {
                 $split = $_.caller.split("/")
                 $Start = (($Split[3].split(" "))[0]).TrimEnd('"')
                 $End = $Split[-1].trimend('"')
diff --git a/Hawk/internal/functions/Initialize-HawkGlobalObject.ps1 b/Hawk/internal/functions/Initialize-HawkGlobalObject.ps1
@@ -78,7 +78,8 @@
         param([string]$RootPath)
 
         # Create a folder ID based on date
-        [string]$FolderID = "Hawk_" + (Get-Date -UFormat %Y%m%d_%H%M).tostring()
+        [string]$TenantName = (Get-MSolDomain | Where-Object {$_.isDefault}).Name
+        [string]$FolderID = "Hawk_" + $TenantName.Substring(0, $TenantName.IndexOf('.')) + "_" + (Get-Date -UFormat %Y%m%d_%H%M).tostring()
 
         # Add that ID to the given path
         $FullOutputPath = Join-Path $RootPath $FolderID
diff --git a/Hawk/internal/functions/Out-LogFile.ps1 b/Hawk/internal/functions/Out-LogFile.ps1
@@ -48,7 +48,7 @@ Function Out-LogFile {
         [string]$logstring = ( "[" + $date + "] - [ACTION] - " + $string)
 
     }
-    # If notice is true the we should write this to intersting.txt as well
+    # If notice is true the we should write this to interesting.txt as well
     elseif ($notice) {
         [string]$logstring = ( "[" + $date + "] - ## INVESTIGATE ## - " + $string)
 
diff --git a/Hawk/internal/functions/Out-MultipleFileType.ps1 b/Hawk/internal/functions/Out-MultipleFileType.ps1
@@ -135,13 +135,13 @@ Function Out-MultipleFileType {
                     Out-LogFile ("Appending Data to " + $filename)
 
                     # Write it out to csv making sture to append
-                    $AllObject | Export-Csv $filename -NoTypeInformation -Append
+                    $AllObject | Export-Csv $filename -NoTypeInformation -Append -Encoding UTF8
                 }
 
                 # Otherwise overwrite
                 else {
                     Out-LogFile ("Writing Data to " + $filename)
-                    $AllObject | Export-Csv $filename -NoTypeInformation
+                    $AllObject | Export-Csv $filename -NoTypeInformation -Encoding UTF8
                 }
 
                 # If notice is set we need to write the file name to _Investigate.txt

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ PROCESS{`
`26`	`26`	`if([string]::IsNullOrWhiteSpace($admin.WindowsLiveId)){`
`27`	`27`	`[PSCustomObject]@{`
`28`	`28`	`ExchangeAdminGroup = $Role.Name`
`29`		`- Members= $admin.name`
	`29`	`+ Members= $admin.DisplayName`
`30`	`30`	`RecipientType = $admin.RecipientType`
`31`	`31`	`}`
`32`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -221,7 +221,7 @@`
`221`	`221`	`}`
`222`	`222`
`223`	`223`	`if ($Output.count -gt 1) {`
`224`		`- Out-LogFile ("Found " + $Output.cout + " Users/Groups with Impersonation rights. Default is 1") -notice`
	`224`	`+ Out-LogFile ("Found " + $Output.count + " Users/Groups with Impersonation rights. Default is 1") -notice`
`225`	`225`	`$Output \| Out-MultipleFileType -fileprefix "Impersonation_Rights" -csv -xml`
`226`	`226`	`$Output \| Out-MultipleFileType -fileprefix "_Investigate_Impersonation_Rights" -csv -xml -Notice`
`227`	`227`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ Function Out-LogFile {`
`48`	`48`	`[string]$logstring = ( "[" + $date + "] - [ACTION] - " + $string)`
`49`	`49`
`50`	`50`	`}`
`51`		`- # If notice is true the we should write this to intersting.txt as well`
	`51`	`+ # If notice is true the we should write this to interesting.txt as well`
`52`	`52`	`elseif ($notice) {`
`53`	`53`	`[string]$logstring = ( "[" + $date + "] - ## INVESTIGATE ## - " + $string)`
`54`	`54`
Original file line number	Diff line number	Diff line change
`@@ -135,13 +135,13 @@ Function Out-MultipleFileType {`
`135`	`135`	`Out-LogFile ("Appending Data to " + $filename)`
`136`	`136`
`137`	`137`	`# Write it out to csv making sture to append`
`138`		`- $AllObject \| Export-Csv $filename -NoTypeInformation -Append`
	`138`	`+ $AllObject \| Export-Csv $filename -NoTypeInformation -Append -Encoding UTF8`
`139`	`139`	`}`
`140`	`140`
`141`	`141`	`# Otherwise overwrite`
`142`	`142`	`else {`
`143`	`143`	`Out-LogFile ("Writing Data to " + $filename)`
`144`		`- $AllObject \| Export-Csv $filename -NoTypeInformation`
	`144`	`+ $AllObject \| Export-Csv $filename -NoTypeInformation -Encoding UTF8`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`# If notice is set we need to write the file name to _Investigate.txt`