Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Tenant-Wide Inbox Rule Artifact Collection #156

Open
jonnybottles opened this issue Nov 29, 2024 · 1 comment
Open

Feature: Tenant-Wide Inbox Rule Artifact Collection #156

jonnybottles opened this issue Nov 29, 2024 · 1 comment
Assignees
@T0pCyber
Labels
priority/low For low priority tasks status/ready Verified issue, ready to be assigned type/feature New feature or request
Milestone
Phase 4: Non Caps...

Comments

@jonnybottles
Copy link
Collaborator

What problem would this feature solve?

Currently, Hawk does not have an active capability for tenant-wide inbox rule artifact collection due to the removal of the RobustCloudCommand dependency. This functionality is essential for scanning all tenant mailboxes for malicious inbox rules and unauthorized email forwarding. Reimplementing this feature would restore a critical security capability.

Proposed Solution

Reimplement the Get-HawkTenantInboxRules function to enable tenant-wide inbox rule scanning without relying on the deprecated RobustCloudCommand module and or use the RobustCloudCommand static file from the GitHub repo for RobustCloudCommand. The updated implementation should include native throttling and scalable mailbox processing.

Technical Requirements

  • Rewrite Get-HawkTenantInboxRules to use native PowerShell mechanisms or RobustCloudCommand from its GitHub repo for mailbox throttling and processing.
  • Integrate with Start-HawkTenantInvestigation to ensure seamless artifact collection during tenant-wide investigations.
  • Implement logging and error handling for robust operations.
  • Include unit tests and integration tests for all functionality.

Implementation Approach

If using RobustCloudCommand:

  • Make assessment of it works in the current project
  • If so, implement it

If not using RobustCloudCommand:

  • Replace calls to RobustCloudCommand with:
    • PowerShell's built-in Start-Job for parallel processing.
    • Use Microsoft Graph API for mailbox enumeration and rule retrieval.
  • Update the Hawk module manifest to remove RobustCloudCommand from dependencies.
  • Add new PowerShell cmdlets for mailbox batching to prevent throttling issues.

Acceptance Criteria

  1. Functionality:
    • The Get-HawkTenantInboxRules cmdlet must retrieve all inbox rules for mailboxes in a tenant.
    • Scanning must identify malicious inbox rules and unauthorized forwarding rules.
  2. Performance:
    • The implementation should handle large tenant environments with thousands of mailboxes.
    • Throttling and batching must be managed without external dependencies.
  3. Testing:
    • Unit tests with mocked data must cover at least 90% of the new codebase.
    • Integration tests must validate end-to-end tenant scanning.
  4. Integration:
    • Start-HawkTenantInvestigation must use Get-HawkTenantInboxRules as part of its workflow.
    • Ensure results integrate with Hawk’s artifact collection and reporting mechanisms.
@jonnybottles jonnybottles added type/feature New feature or request status/backlog In backlog / validated labels Nov 29, 2024
@jonnybottles jonnybottles mentioned this issue Nov 29, 2024
Closed
@T0pCyber T0pCyber self-assigned this Jan 26, 2025
@jonnybottles
Copy link
Collaborator Author

jonnybottles commented Feb 8, 2025
edited
Loading

This function has been moved into the Hawk-> Internal >WorkInProgress folder as it is not ready for release.

@jonnybottles jonnybottles mentioned this issue Feb 11, 2025
Closed
@jonnybottles jonnybottles added priority/low For low priority tasks status/ready Verified issue, ready to be assigned and removed status/backlog In backlog / validated labels Mar 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@T0pCyber T0pCyber

Labels
priority/low For low priority tasks status/ready Verified issue, ready to be assigned type/feature New feature or request
Projects
None yet
Milestone
Phase 4: Non Capstone Project Feature...
Development

No branches or pull requests
2 participants
@T0pCyber @jonnybottles