hawk icon indicating copy to clipboard operation
hawk copied to clipboard
verified publisher icon T0pCyber

Feature: Tenant-Wide Inbox Rule Artifact Collection

Open jonnybottles opened this issue 1 year ago • 1 comments

What problem would this feature solve?

Currently, Hawk does not have an active capability for tenant-wide inbox rule artifact collection due to the removal of the RobustCloudCommand dependency. This functionality is essential for scanning all tenant mailboxes for malicious inbox rules and unauthorized email forwarding. Reimplementing this feature would restore a critical security capability.

Proposed Solution

Reimplement the Get-HawkTenantInboxRules function to enable tenant-wide inbox rule scanning without relying on the deprecated RobustCloudCommand module and or use the RobustCloudCommand static file from the GitHub repo for RobustCloudCommand. The updated implementation should include native throttling and scalable mailbox processing.

Technical Requirements

  • Rewrite Get-HawkTenantInboxRules to use native PowerShell mechanisms or RobustCloudCommand from its GitHub repo for mailbox throttling and processing.
  • Integrate with Start-HawkTenantInvestigation to ensure seamless artifact collection during tenant-wide investigations.
  • Implement logging and error handling for robust operations.
  • Include unit tests and integration tests for all functionality.

Implementation Approach

If using RobustCloudCommand:

  • Make assessment of it works in the current project
  • If so, implement it

If not using RobustCloudCommand:

  • Replace calls to RobustCloudCommand with:
    • PowerShell's built-in Start-Job for parallel processing.
    • Use Microsoft Graph API for mailbox enumeration and rule retrieval.
  • Update the Hawk module manifest to remove RobustCloudCommand from dependencies.
  • Add new PowerShell cmdlets for mailbox batching to prevent throttling issues.

Acceptance Criteria

  1. Functionality:
    • The Get-HawkTenantInboxRules cmdlet must retrieve all inbox rules for mailboxes in a tenant.
    • Scanning must identify malicious inbox rules and unauthorized forwarding rules.
  2. Performance:
    • The implementation should handle large tenant environments with thousands of mailboxes.
    • Throttling and batching must be managed without external dependencies.
  3. Testing:
    • Unit tests with mocked data must cover at least 90% of the new codebase.
    • Integration tests must validate end-to-end tenant scanning.
  4. Integration:
    • Start-HawkTenantInvestigation must use Get-HawkTenantInboxRules as part of its workflow.
    • Ensure results integrate with Hawk’s artifact collection and reporting mechanisms.

jonnybottles avatar Nov 29 '24 19:11 jonnybottles

This function has been moved into the Hawk-> Internal >WorkInProgress folder as it is not ready for release.

jonnybottles avatar Feb 08 '25 20:02 jonnybottles