Description
What problem would this feature solve?
Currently, Hawk does not have an active capability for tenant-wide inbox rule artifact collection due to the removal of the RobustCloudCommand dependency. This functionality is essential for scanning all tenant mailboxes for malicious inbox rules and unauthorized email forwarding. Reimplementing this feature would restore a critical security capability.
Proposed Solution
Reimplement the Get-HawkTenantInboxRules function to enable tenant-wide inbox rule scanning without relying on the deprecated RobustCloudCommand module and or use the RobustCloudCommand static file from the GitHub repo for RobustCloudCommand. The updated implementation should include native throttling and scalable mailbox processing.
Technical Requirements
- Rewrite
Get-HawkTenantInboxRulesto use native PowerShell mechanisms or RobustCloudCommand from its GitHub repo for mailbox throttling and processing. - Integrate with
Start-HawkTenantInvestigationto ensure seamless artifact collection during tenant-wide investigations. - Implement logging and error handling for robust operations.
- Include unit tests and integration tests for all functionality.
Implementation Approach
If using RobustCloudCommand:
- Make assessment of it works in the current project
- If so, implement it
If not using RobustCloudCommand:
- Replace calls to
RobustCloudCommandwith:- PowerShell's built-in
Start-Jobfor parallel processing. - Use Microsoft Graph API for mailbox enumeration and rule retrieval.
- PowerShell's built-in
- Update the
Hawkmodule manifest to removeRobustCloudCommandfrom dependencies. - Add new PowerShell cmdlets for mailbox batching to prevent throttling issues.
Acceptance Criteria
- Functionality:
- The
Get-HawkTenantInboxRulescmdlet must retrieve all inbox rules for mailboxes in a tenant. - Scanning must identify malicious inbox rules and unauthorized forwarding rules.
- The
- Performance:
- The implementation should handle large tenant environments with thousands of mailboxes.
- Throttling and batching must be managed without external dependencies.
- Testing:
- Unit tests with mocked data must cover at least 90% of the new codebase.
- Integration tests must validate end-to-end tenant scanning.
- Integration:
Start-HawkTenantInvestigationmust useGet-HawkTenantInboxRulesas part of its workflow.- Ensure results integrate with Hawk’s artifact collection and reporting mechanisms.