hawk icon indicating copy to clipboard operation
hawk copied to clipboard
verified publisher icon T0pCyber

Question: Unexpected Error on User Investigation

Open akshaiprakash1 opened this issue 7 months ago • 3 comments

Your Question

The following error occurs while running User Investigation on my tenant:

[2025-05-13 10:20:31Z] - [ACTION] - Starting User Investigation.

[2025-05-13 10:20:31Z] - [ACTION] - Running Get-HawkUserConfiguration. [2025-05-13 10:20:31Z] - [INFO] - Not Connected to Exchange Online [2025-05-13 10:20:31Z] - [ACTION] - Connecting to EXO using Exchange Online Module Error Acquiring Token: Unknown Status: Unexpected Error: 0xffffffff80070520 Context: (pii) Tag: 0x21420087 (error code -2147023584) (internal error code 557973639) Unknown Status: Unexpected Error: 0xffffffff80070520 Context: (pii) Tag: 0x21420087 (error code -2147023584) (internal error code 557973639) At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.7.2\netFramework\ExchangeOnlineManagement.psm1:754 char:21

  •                 throw $_.Exception.InnerException;

  •                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : OperationStopped: (:) [], MsalServiceException
    • FullyQualifiedErrorId : Unknown Status: Unexpected Error: 0xffffffff80070520 Context: (pii) Tag: 0x21420087 (error code -2147023584) (internal error code 557973639)

akshaiprakash1 avatar May 13 '25 10:05 akshaiprakash1

I too have this issue:

[2025-10-20 14:22:05Z] - [ACTION] - Starting Tenant Investigation.

[2025-10-20 14:22:05Z] - [ACTION] - Running Get-HawkTenantConfiguration.
[2025-10-20 14:22:05Z] - [ACTION] - Initiating collection of tenant configuration settings from Exchange Online.
[2025-10-20 14:22:05Z] - [INFO]   - Not Connected to Exchange Online
[2025-10-20 14:22:05Z] - [ACTION] - Connecting to EXO using Exchange Online Module
Error Acquiring Token:
Unknown Status: Unexpected
Error: 0xffffffff80070520
Context: (pii)
Tag: 0x21420087 (error code -2147023584) (internal error code 557973639)
Unknown Status: Unexpected
Error: 0xffffffff80070520
Context: (pii)
Tag: 0x21420087 (error code -2147023584) (internal error code 557973639)
At C:\Program
Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.9.0\netFramework\ExchangeOnlineManagement.psm1:766 char:21
+                     throw $_.Exception.InnerException;
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], MsalServiceException
    + FullyQualifiedErrorId : Unknown Status: Unexpected
Error: 0xffffffff80070520
Context: (pii)
Tag: 0x21420087 (error code -2147023584) (internal error code 557973639)

Version information:

Name              : HAWK
Path              : C:\Program Files\WindowsPowerShell\Modules\HAWK\4.0\HAWK.psd1
Description       : A free, open-source forensics PowerShell module for conducting incident response and threat
                    hunting of Microsoft Cloud environments.
                        Hawk streamlines the collection of forensic data from Microsoft 365 and Entra ID environments
                    to help security professionals,
                        incident responders, and administrators quickly gather critical log data and identify
                    potential security concerns.
                        While it includes basic analysis capabilities to flag items of interest, it focuses on
                    efficient data collection rather than automated detection.
ModuleType        : Script
Version           : 4.0
NestedModules     : {}
ExportedFunctions : {Get-HawkTenantConfiguration, Get-HawkTenantEDiscoveryConfiguration, Get-HawkTenantConsentGrant,
                    Get-HawkTenantRBACChange...}
ExportedCmdlets   :
ExportedVariables :
ExportedAliases   :

This is being ran from an elevated tenant, with a global admin account. The Graph consent has been completed:

 Connect-MGGraph -Scopes 'User.Read.All', 'Directory.Read.All',
>>         'DeviceManagementServiceConfig.Read.All', 'AuditLog.Read.All', 'IdentityRiskEvent.Read.All', 'IdentityRiskyUser.Read.All'
Welcome to Microsoft Graph!

Connected via delegated access using XXXX-XXXX-XXXX-XXXX-XXXXX
Readme: https://aka.ms/graph/sdk/powershell
SDK Docs: https://aka.ms/graph/sdk/powershell/docs
API Docs: https://aka.ms/graph/docs

NOTE: You can use the -NoWelcome parameter to suppress this message.

BenGall-Qss avatar Oct 20 '25 14:10 BenGall-Qss

At first glance it looks like an error connecting to Exchange Online. In a new PowerShell window run "Connect-ExchangeOnline" and then try running Hawk.

T0pCyber avatar Oct 20 '25 16:10 T0pCyber

At first glance it looks like an error connecting to Exchange Online. In a new PowerShell window run "Connect-ExchangeOnline" and then try running Hawk.

Thanks for the response. This does indeed work, connecting first then running the tool works as expected. Is this expected behaviour or a weird bug?

BenGall-Qss avatar Oct 21 '25 10:10 BenGall-Qss