hawk icon indicating copy to clipboard operation
hawk copied to clipboard
verified publisher icon T0pCyber

Adds incorrect domain to results

Open Techlisalh opened this issue 2 years ago • 6 comments

Describe the bug A clear and concise description of what the bug is. When I run a tenant or user investigation, the results append the incorrect domain To Reproduce Steps to reproduce the behavior: Run investigation, and answer questions, no matter where I indicate to save the output, it adds one of our tenant's names in the path instead of the tenant we are investigating.

Expected behavior A clear and concise description of what you expected to happen. I expect that the folder name will include the actual domain name being looked at

Screenshots If applicable, add screenshots to help explain your problem.

File (please complete the following information):

  • File Name: I save to a folder named "hawk"

Additional context Add any other context about the problem here. I saw a possible feature request to add the default domain name to the folders; however, that only works if you work in a single tenant. We have 50 tenants that we have to run reports on at times. I do rename the folder after the fact, but many logs show I made the change. Please change the behavior back to the way it was, no domain added, then I can indicate the correct tenant, and don't have to remove the one set as default.

Techlisalh avatar Jun 28 '23 20:06 Techlisalh

This is the same issue as the "wrong scan name". Sorry for duplicating the entry. It gives the same path for all tenants. Completely different sessions, and different logins. I just did one for a user investigation only. Moved to C:\Temp instead of c:\hawk. it looks like the scan was for a different tenant than was scanned.

It's not life-threatening, it just looks unprofessional.

Techlisalh avatar Jun 28 '23 20:06 Techlisalh

@Techlisalh - Would it be possible to schedule a time talk to better understand the use case when running against multiple tenants. If so please email me [email protected] so we can get something on the books. Thanks

T0pCyber avatar Jun 29 '23 19:06 T0pCyber

Sure, I I’m available on and off throughout the day…send me a time or two and we can schedule!

Kind Regards, [NN with R Flattened_250 x 84]

Lisa Hall IT Support Manager Natural Networks, Inc. 7047 Carroll Road San Diego, CA 92121 @.@.> www.naturalnetworks.comhttps://www.naturalnetworks.com/ (619) 222-3232, ext. 108 officetel:%20619%20222%203232 @.***

From: Paul Navarro @.> Sent: Thursday, June 29, 2023 12:18 PM To: T0pCyber/hawk @.> Cc: Lisa Hall @.>; Mention @.> Subject: Re: [T0pCyber/hawk] Adds incorrect domain to results (Issue #106)

@Techlisalhhttps://github.com/Techlisalh - Would it be possible to schedule a time talk to better understand the use case when running against multiple tenants.

— Reply to this email directly, view it on GitHubhttps://github.com/T0pCyber/hawk/issues/106#issuecomment-1613672491, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6ZXBVAU4PBJ6W74IE2QNSTXNXIGXANCNFSM6AAAAAAZXTUZQQ. You are receiving this because you were mentioned.Message ID: @.@.>>

Techlisalh avatar Jun 29 '23 21:06 Techlisalh

Hi There,

It looks like the MSGraph sessions persist across PowerShell sessions - see https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0

To Replicate Run Get-MGDomain in a new Powershell Session - it will show your last still valid MSGraph session

Workaround: Manually run Disconnect-MgGraph and run HAWK in an new PowerShell session

As it seems to get the correct data for a tenant the permanent fix is to either have HAWK disconnect once done or grab the tenant name from elsewhere in

HAWK\<version>\internal\functions\Initialize-HawkGlobalObject.ps1 Line 81

[string]$TenantName = (Get-MGDomain | Where-Object {$_.isDefault}).ID

DOS-jabro avatar Jul 13 '23 12:07 DOS-jabro

@Techlisalh - Would Friday the 21st of July work for you? If so please email the Hawk email address so I can coordinate a meeting. [email protected]

T0pCyber avatar Jul 13 '23 21:07 T0pCyber

I can be available on the 21st. I did see your earlier email mentioning it’s a graph issue. I appreciate the attention to this. I love this script. It’s been a lifesaver, seriously!

Kind Regards, [NN with R Flattened_250 x 84]

Lisa Hall IT Support Manager Natural Networks, Inc. 7047 Carroll Road San Diego, CA 92121 @.@.> www.naturalnetworks.comhttps://www.naturalnetworks.com/ (619) 222-3232, ext. 108 officetel:%20619%20222%203232 @.***

From: Paul Navarro @.> Sent: Thursday, July 13, 2023 2:33 PM To: T0pCyber/hawk @.> Cc: Lisa Hall @.>; Mention @.> Subject: Re: [T0pCyber/hawk] Adds incorrect domain to results (Issue #106)

@Techlisalhhttps://github.com/Techlisalh - Would Friday the 21st of July work for you? If so please email the Hawk email address so I can coordinate a meeting. @.@.>

— Reply to this email directly, view it on GitHubhttps://github.com/T0pCyber/hawk/issues/106#issuecomment-1634949680, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A6ZXBVGTXH6B7VNZTLWAZ63XQBSQ5ANCNFSM6AAAAAAZXTUZQQ. You are receiving this because you were mentioned.Message ID: @.@.>>

Techlisalh avatar Jul 13 '23 22:07 Techlisalh