diff --git a/Hawk/functions/User/Get-HawkMailItemsAccessed.ps1 b/Hawk/functions/User/Get-HawkMailItemsAccessed.ps1 new file mode 100644 index 0000000..a09f82a --- /dev/null +++ b/Hawk/functions/User/Get-HawkMailItemsAccessed.ps1 @@ -0,0 +1,62 @@ +Function Get-HawkMailItemsAccessed { +<# +.SYNOPSIS + This will export MailboxItemsAccessed operations from the Unified Audit Log (UAL). Must be connected to Exchange Online + using the Connect-EXO or Connect-ExchangeOnline module. M365 E5 or G5 license is required for this function to work. + This telemetry will ONLY be availabe if Advanced Auditing is enabled for the M365 user. +.DESCRIPTION + Recent attacker activities have illuminated the use of the Graph API to read user mailbox contents. This will export + logs that will be present if the attacker is using the Graph API for such actions. Note: NOT all graph API actions against + a mailbox are malicious. Review the results of this function and look for suspicious access of mailbox items associated + with a specific user. +.PARAMETER UserIDs + Specific user(s) to be investigated +.EXAMPLE + Get-HawkMailItemsAccessed -UserIDs bsmith@contoso.com + Gets MailItemsAccess from Unified Audit Log (UAL) that corresponds to the User ID that is provided +.OUTPUTS + MailItemsAccessed.csv + +.LINK + https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/ + +.NOTES + "Operation Properties" and "Folders" will return "System.Object" as they are nested JSON within the AuditData field. + You will need to conduct individual log pull and review via PowerShell or other SIEM to determine values + for those fields. +#> + [CmdletBinding()] + param( + [Parameter(Mandatory=$true)] + [string[]]$UserIDs + ) + + BEGIN { + # Check if Hawk object exists and is fully initialized + if (Test-HawkGlobalObject) { + Initialize-HawkGlobalObject + } + Out-LogFile "Starting Unified Audit Log (UAL) search for 'MailItemsAccessed'" -Action + }#End Begin + + PROCESS { + $curr_idx = 0 + foreach($user in $UserIDs) { + if($curr_idx -eq 0) { + $UserList = $user + }else { + $UserList = "$UserList, $user" + } + $curr_idx += 1 + } + $MailboxItemsAccessed = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -Operations 'MailItemsAccessed' -UserIds $UserList") + + $MailboxItemsAccessed | Select-Object -ExpandProperty AuditData | Convertfrom-Json | Out-MultipleFileType -FilePrefix "MailItemsAccessed" -csv -json + + }#End Process + + END{ + Out-Logfile "Completed exporting MailItemsAccessed logs" -Information + }#End End + +} \ No newline at end of file diff --git a/Hawk/functions/User/Start-HawkUserInvestigation.ps1 b/Hawk/functions/User/Start-HawkUserInvestigation.ps1 index d295c90..c9f3005 100644 --- a/Hawk/functions/User/Start-HawkUserInvestigation.ps1 +++ b/Hawk/functions/User/Start-HawkUserInvestigation.ps1 @@ -112,6 +112,11 @@ Out-LogFile "Running Get-HawkUserMessageTrace" -Action Get-HawkUserMessageTrace -User $User } + + if ($PSCmdlet.ShouldProcess("Running Get-HawkMailItemsAccessed for $User")) { + Out-LogFile "Running Get-HawkMailItemsAccessed" -Action + Get-HawkMailItemsAccessed -UserIDs $User + } if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMobileDevice for $User")) { Out-LogFile "Running Get-HawkUserMobileDevice" -Action