From bafd4415d3863c6f00191bcae1b6f904b177f9d5 Mon Sep 17 00:00:00 2001 From: juliusperez1695 <150602855+juliusperez1695@users.noreply.github.com> Date: Sun, 19 Jan 2025 13:31:07 -0800 Subject: [PATCH 1/3] feature/236: Added log pull of user Send activity. --- Hawk/Hawk.psd1 | 1 + Hawk/changelog.md | 1 + .../User/Get-HawkUserMailSendActivity.ps1 | 95 +++++++++++++++++++ .../User/Start-HawkUserInvestigation.ps1 | 10 ++ 4 files changed, 107 insertions(+) create mode 100644 Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 diff --git a/Hawk/Hawk.psd1 b/Hawk/Hawk.psd1 index 3a479de..a820e38 100644 --- a/Hawk/Hawk.psd1 +++ b/Hawk/Hawk.psd1 @@ -85,6 +85,7 @@ 'Get-HawkTenantMailItemsAccessed', 'Get-HawkUserMailItemsAccessed', 'Get-HawkUserExchangeSearchQuery', + 'Get-HawkUserMailSendActivity', 'Get-HawkTenantAppAndSPNCredentialDetail', 'Get-HawkTenantEntraIDUser', 'Get-HawkTenantDomainActivity', diff --git a/Hawk/changelog.md b/Hawk/changelog.md index a32efb9..11b4fab 100644 --- a/Hawk/changelog.md +++ b/Hawk/changelog.md @@ -98,4 +98,5 @@ - Added search of mail items accessed to the User Investigation (Get-HawkUserMailItemsAccessed) - Added search of Exchange Search Queries to the User Investigation (Get-HawkUserExchangeSearchQuery) - Implemented check to verify that an Exchange operation is enabled for auditing before attempting to pull logs +- Added log pull of user Send activity to the User Investigation (Get-HawkUserMailSendActivity) diff --git a/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 b/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 new file mode 100644 index 0000000..d88ca9a --- /dev/null +++ b/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 @@ -0,0 +1,95 @@ +Function Get-HawkUserMailSendActivity { + <# + .SYNOPSIS + This will export Send operations from the Unified Audit Log (UAL). Must be connected to Exchange Online + using the Connect-EXO or Connect-ExchangeOnline module. M365 E5 or G5 license is required for this function to work. + This telemetry will ONLY be availabe if Advanced Auditing is enabled for the M365 user. + .DESCRIPTION + This function queries for message-sending activity within Exchange, providing visibility into outbound communications + that could be relevant for identifying data exfiltration attempts, phishing campaigns, or other malicious activity. + .PARAMETER UserPrincipalName + Specific user(s) to be investigated + .EXAMPLE + Get-HawkUserMailSendActivity -UserPrincipalName bsmith@contoso.com + Returns send activity queries from Unified Audit Log (UAL) that correspond to the UserPrincipalName that is provided + .OUTPUTS + SendActivity_bsmith@contoso.com.csv /json + Simple_SendActivity_bsmith@contoso.com.csv/json + + .LINK + https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/ + + .NOTES + "Operation Properties" and "Folders" will return "System.Object" as they are nested JSON within the AuditData field. + You will need to conduct individual log pull and review via PowerShell or other SIEM to determine values + for those fields. + #> + [CmdletBinding()] + param( + [Parameter(Mandatory=$true)] + [array]$UserPrincipalName + ) + + BEGIN { + # Check if Hawk object exists and is fully initialized + if (Test-HawkGlobalObject) { + Initialize-HawkGlobalObject + } + Out-LogFile "Starting Unified Audit Log (UAL) search for 'Send'" -Action + Out-LogFile "Please be patient, this can take a while..." -Information + Test-EXOConnection + }#End Begin + + PROCESS { + + #Verify UPN input + [array]$UserArray = Test-UserObject -ToTest $UserPrincipalName + + foreach($UserObject in $UserArray) { + [string]$User = $UserObject.UserPrincipalName + + # Verify that user has operation enabled for auditing. Otherwise, move onto next user. + if (Test-OperationEnabled -User $User -Operation 'Send') { + Out-LogFile "Operation 'Send' verified enabled for $User." -Information + try { + #Retrieve all audit data for mailitems accessed + $SearchCommand = "Search-UnifiedAuditLog -Operations 'Send' -UserIds $User" + $ExchangeSends = Get-AllUnifiedAuditLogEntry -UnifiedSearch $SearchCommand + + if ($ExchangeSends.Count -gt 0){ + + #Define output directory path for user + $UserFolder = Join-Path -Path $Hawk.FilePath -ChildPath $User + + #Create user directory if it doesn't already exist + if (-not (Test-Path -Path $UserFolder)) { + New-Item -Path $UserFolder -ItemType Directory -Force | Out-Null + } + + #Compress raw data into more simple view + $ExchangeSendsSimple = $ExchangeSends | Get-SimpleUnifiedAuditLog + + #Export both raw and simplistic views to specified user's folder + $ExchangeSends | Select-Object -ExpandProperty AuditData | Convertfrom-Json | Out-MultipleFileType -FilePrefix "SendActivity_$User" -User $User -csv -json + $ExchangeSendsSimple | Out-MultipleFileType -FilePrefix "Simple_SendActivity_$User" -User $User -csv -json + } else { + Out-LogFile "Get-HawkUserMailSendActivity completed successfully" -Information + Out-LogFile "No items found for $User." -Information + } + } catch { + Out-LogFile "Error processing Send Activity for $User : $_" -isError + Write-Error -ErrorRecord $_ -ErrorAction Continue + } + } else { + Out-LogFile "Operation 'Send' is not enabled for $User." -Information + Out-LogFile "No data recorded for $User." -Information + } + } + + }#End Process + + END{ + Out-Logfile "Completed exporting Send Activity logs" -Information + }#End End + + } \ No newline at end of file diff --git a/Hawk/functions/User/Start-HawkUserInvestigation.ps1 b/Hawk/functions/User/Start-HawkUserInvestigation.ps1 index c62e8f4..ee023e2 100644 --- a/Hawk/functions/User/Start-HawkUserInvestigation.ps1 +++ b/Hawk/functions/User/Start-HawkUserInvestigation.ps1 @@ -117,6 +117,16 @@ Out-LogFile "Running Get-HawkUserMailItemsAccessed" -Action Get-HawkUserMailItemsAccessed -UserPrincipalName $User } + + if ($PSCmdlet.ShouldProcess("Running Get-HawkUserExchangeSearchQuery for $User")) { + Out-LogFile "Running Get-HawkUserExchangeSearchQuery" -Action + Get-HawkUserExchangeSearchQuery -UserPrincipalName $User + } + + if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMailSendActivity for $User")) { + Out-LogFile "Running Get-HawkUserMailSendActivity" -Action + Get-HawkUserMailSendActivity -UserPrincipalName $User + } if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMobileDevice for $User")) { Out-LogFile "Running Get-HawkUserMobileDevice" -Action From abcd7bb3c547462a9d47b0f076cd775976a7aca5 Mon Sep 17 00:00:00 2001 From: juliusperez1695 <150602855+juliusperez1695@users.noreply.github.com> Date: Mon, 20 Jan 2025 18:57:18 -0800 Subject: [PATCH 2/3] feature/236: Added log pull of user Send activity & edited comments --- Hawk/functions/User/Get-HawkUserExchangeSearchQuery.ps1 | 2 +- Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Hawk/functions/User/Get-HawkUserExchangeSearchQuery.ps1 b/Hawk/functions/User/Get-HawkUserExchangeSearchQuery.ps1 index 82157fa..79a4b2a 100644 --- a/Hawk/functions/User/Get-HawkUserExchangeSearchQuery.ps1 +++ b/Hawk/functions/User/Get-HawkUserExchangeSearchQuery.ps1 @@ -52,7 +52,7 @@ Function Get-HawkUserExchangeSearchQuery { if (Test-OperationEnabled -User $User -Operation 'SearchQueryInitiated') { Out-LogFile "Operation 'SearchQueryInitiated' verified enabled for $User." -Information try { - #Retrieve all audit data for mailitems accessed + #Retrieve all audit data for Exchange search queries $SearchCommand = "Search-UnifiedAuditLog -Operations 'SearchQueryInitiatedExchange' -UserIds $User" $ExchangeSearches = Get-AllUnifiedAuditLogEntry -UnifiedSearch $SearchCommand diff --git a/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 b/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 index d88ca9a..ab48cf6 100644 --- a/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 +++ b/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 @@ -52,7 +52,7 @@ Function Get-HawkUserMailSendActivity { if (Test-OperationEnabled -User $User -Operation 'Send') { Out-LogFile "Operation 'Send' verified enabled for $User." -Information try { - #Retrieve all audit data for mailitems accessed + #Retrieve all audit data for Exchange send activity $SearchCommand = "Search-UnifiedAuditLog -Operations 'Send' -UserIds $User" $ExchangeSends = Get-AllUnifiedAuditLogEntry -UnifiedSearch $SearchCommand From 8121129df5140f90ddeaf8cb420a3323a078833f Mon Sep 17 00:00:00 2001 From: Jonathan Butler Date: Thu, 23 Jan 2025 08:03:26 -0500 Subject: [PATCH 3/3] modify output to be more clear as to the ACTION occurring. --- Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 b/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 index ab48cf6..47a1531 100644 --- a/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 +++ b/Hawk/functions/User/Get-HawkUserMailSendActivity.ps1 @@ -35,7 +35,7 @@ Function Get-HawkUserMailSendActivity { if (Test-HawkGlobalObject) { Initialize-HawkGlobalObject } - Out-LogFile "Starting Unified Audit Log (UAL) search for 'Send'" -Action + Out-LogFile "Starting Unified Audit Log (UAL) search for mail'Send' logs" -Action Out-LogFile "Please be patient, this can take a while..." -Information Test-EXOConnection }#End Begin