Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Tenant-Wide Inbox Rule Artifact Collection #156

Open
jonnybottles opened this issue Nov 29, 2024 · 0 comments
Open

Feature: Tenant-Wide Inbox Rule Artifact Collection #156

jonnybottles opened this issue Nov 29, 2024 · 0 comments
Assignees
@T0pCyber
Labels
status/backlog In backlog / validated type/feature New feature or request
Milestone
Phase 4: Non Caps...

Comments

@jonnybottles
Copy link
Collaborator

What problem would this feature solve?

Currently, Hawk does not have an active capability for tenant-wide inbox rule artifact collection due to the removal of the RobustCloudCommand dependency. This functionality is essential for scanning all tenant mailboxes for malicious inbox rules and unauthorized email forwarding. Reimplementing this feature would restore a critical security capability.

Proposed Solution

Reimplement the Get-HawkTenantInboxRules function to enable tenant-wide inbox rule scanning without relying on the deprecated RobustCloudCommand module and or use the RobustCloudCommand static file from the GitHub repo for RobustCloudCommand. The updated implementation should include native throttling and scalable mailbox processing.

Technical Requirements

  • Rewrite Get-HawkTenantInboxRules to use native PowerShell mechanisms or RobustCloudCommand from its GitHub repo for mailbox throttling and processing.
  • Integrate with Start-HawkTenantInvestigation to ensure seamless artifact collection during tenant-wide investigations.
  • Implement logging and error handling for robust operations.
  • Include unit tests and integration tests for all functionality.

Implementation Approach

If using RobustCloudCommand:

  • Make assessment of it works in the current project
  • If so, implement it

If not using RobustCloudCommand:

  • Replace calls to RobustCloudCommand with:
    • PowerShell's built-in Start-Job for parallel processing.
    • Use Microsoft Graph API for mailbox enumeration and rule retrieval.
  • Update the Hawk module manifest to remove RobustCloudCommand from dependencies.
  • Add new PowerShell cmdlets for mailbox batching to prevent throttling issues.

Acceptance Criteria

  1. Functionality:
    • The Get-HawkTenantInboxRules cmdlet must retrieve all inbox rules for mailboxes in a tenant.
    • Scanning must identify malicious inbox rules and unauthorized forwarding rules.
  2. Performance:
    • The implementation should handle large tenant environments with thousands of mailboxes.
    • Throttling and batching must be managed without external dependencies.
  3. Testing:
    • Unit tests with mocked data must cover at least 90% of the new codebase.
    • Integration tests must validate end-to-end tenant scanning.
  4. Integration:
    • Start-HawkTenantInvestigation must use Get-HawkTenantInboxRules as part of its workflow.
    • Ensure results integrate with Hawk’s artifact collection and reporting mechanisms.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@T0pCyber T0pCyber

Labels
status/backlog In backlog / validated type/feature New feature or request
Projects
None yet
Milestone
Phase 4: Non Capstone Project Feature...
Development

No branches or pull requests
2 participants
@T0pCyber @jonnybottles