BSidesCharm 2025 - Closing the Visibility Gap: Threat Hunting with Hawk in the Microsoft Cloud

[Music]

Hello everyone and welcome to uh Bside Farm City day one. It's an absolute pleasure to be here on stage speaking for the first time, even more so my great friends here to my left and to my right. Our talk today is called Closing the Visibility Gap: Threat Hunting with Hawk in the Microsoft Cloud. My name is John Butler and I'm an active duty Marine. Been in the Marine Corps for 20 years now. The majority of my uh experience has been in cyber security. As of late, I'm working as a software developer and I'm one of the core maintainers and core contributors to the Haw PowerShell project. Paul, morning. And I am Paul Navaro. I'm currently a cloud solution architect at

Microsoft. Retired Marine of 21 years and I've been friends with these dudes for over 10 years. This is our first time get to share the stage. So this is pretty exciting for us. Good to see some folks out there and looking forward to uh sharing some of this work that we do. Hey, good afternoon everyone. Uh I'm Lorenzo, same retired Marine uh advanced persistent defender uh Hawk developer as well as forensicator. Uh happy to be here for me, myself, some of my other friends here. uh we kind of cut our teeth from the conference perspective of security conferences with besides uh besides charm, DC, Nova and you know the the others that are out there. So it's a

phenomenal uh grassroots organization and it's great to see everybody here today. And so with that said, we're going to go ahead and uh get this kicked off uh just to talk to you a little bit about the agenda. Right. So the agenda is I'm going to take you through about the first third of the uh presentation. Paul's going to take you through the second third where he's going to pick up with the uh SIZA playbook and walk you through a couple of uh prerequisites as well as case studies and then John's going to take you over through the investigation types of Hawk uh and various artifacts and as well as a Hawk demo. Right. So, um that's essentially

the agenda laid out and kind of who's going to cover what part of the presentation uh about Hawk. So essentially uh the genesis of hawk the the intent of hawk was mainly to collect data. This started as you can see here on the slide in about 2018 uh by a gentleman by the name of Matt Bird. So kind of shout out to Matt Bird where he kind of recognized that there was a need a void kind of a gap to fill at that time with cloud and where we had uh individuals no matter who they were were just finding things where something was going on with their tenant and they had different administrative interfaces kind of uh as

it was mentioned earlier I think in one of the questions about a single pane of glass. We know how difficult that is to achieve. Um, and so what we had is essentially these different administrative interfaces that you had to log into each one of them separately, go run some queries, pull some information down. And so the genesis of Hawk was to help uh I guess ease that burden and provide a somewhat automated manner um to accomplish those tasks, right? And then essentially bring the data back. So uh this really wasn't the initial intent or designed to you know necessarily do threat detection on respon you know from a tool from that perspective although you can take the

data and then incorporate it into whatever tool uh whatever uh set of uh processes that you may have we don't want to necessarily uh dictate that to you but we would like to help you automate the pull of that data in a reasonable manner. Um, so that's a little bit about Hawk. Obviously free open source, right? Everybody likes uh a good free 999 tool. I think to the keynote speaker when he was talking about having some type of uh domestic cyber capability that can assist people um this you know almost this isn't a necessary answer to that but almost in a genesis of saying hey here's something that is low cost to no cost um requires

a little bit of knowledge uh that will help you aid in the fight of getting uh visibility that you need whether you're responding to threats or you need to just threat hunt on that data. Um, initially also I just mentioned earlier about in terms of the target audience, right? Initially to small medium-sized businesses, but it's not precluded. It could be anybody uh any business that they want. And then of course the adoption I think because it was one of the the early tools out of the gate uh we've typically had about 85,000 downloads thus far and as well as um you know a lot of momentum with different multiple uh cyber security conferences and and courses that are taught where

you'll hear about um you'll hear about Hawk whether that is in SANS whether that is actually uh Black Hill security who's here as a sponsor uh they do a phenomenal job with their training and stuff like that and so you'll hear about different uh you'll hear different uh aspects of of hawk brought up in that in some of that training the inspiration behind hawk as I mentioned here. So you we got an evolving uh threat landscape. Uh the talk earlier talked about uh doing some um some not necessarily evasion but in terms of uh handing out lures or uh detections as a means right because this evolving threat landscape that we have uh we've got geni on the scene now we've

had cloud uh prior to that of course we all know that we lived a lot of onrem but one thing that doesn't stop is just the evolving threat. So with that threat um hawk also uh hawk is also designed to make an effort to keep up with that threat and we're going to talk about that uh as the talk goes on. So next is you have uh fragmented administrative interfaces. I kind of alluded to some of that earlier where uh you have to go to three different interfaces just to kind of pull some data and hawk helps you achieve that as well. And then next is cost constraints, right? Um to where again we realize that commercial tools

uh are can be cost prohibitive for certain organizations whether they're nonprofit, whether they're education, what have you. And so we want to provide something that is useful uh to people there in terms of the community. Um next of course is a lack of unified uh visibility and I think this is something that is going to be a moving target as we continue on um with respect to uh that visibility. as uh I work in doing cloud security just through my my time in cloud security as well as information security I have seen a number of improvements uh within whether we're talking tables whether we're talking different types of telemetry from uh various parts of the network whether

it's endpoint what have you uh cloud all that continues to evolve and change and with that uh cloud or any tool that we have has to do the same and so we are very conscious about that and we've made efforts to uh keep up with that as Um, next what I'll do is I just want to kind of hit this bottom line up front, if you will, here uh that I think does a pretty good job, right, where it says as uh cloud environments grow more complex, organizations struggle to efficiently gather and analyze critical security data without significant time and cost and investment. And anybody if they deal with threat hunting, if they deal with

incident response, you know that the cost of time and complexity uh is a big deal. And so kind of to borrow a quote from uh Tony Robbins, complexity is the enemy of execution. And anytime you're involved in an incident response or anything like that, it's really about executing as fast as you can and kind of closing that loop as you observe, orient decide and act. Uh so next what I'll do is just talk to you a little bit about kind of our uh log sources that Hawk utilizes, right? Um prior to it us it utilizes uh it utilized rather uh uh rest APIs from MS online as well as uh Azure active diretory which is now known as intra ID.

Those those were API rest API endpoints and those endpoints were actually deprecated within as of March 30, 2024. So roughly about a year now that those endpoints have been deprecated and then now pretty much ceased to work. So again that means that any tool that seeks to get those uh to reach out to those interfaces and pull that data back in a meaningful way has to right refactor their code they have to update and modernize their code and their their tool to maintain and keep up with a pace uh that we have with the change that I kind of alluded to earlier. So in this case um what we use is we use Microsoft graph which is acts as a single uh rest

API endpoint very powerful uh allows you to pull back various telemetry as it relates to intra ID as it relates to teams outlook uh in tune and then of course as I kind of put up there about 70 different uh types of resources where you can go and pull down and you can search query and analyze a resources as this pertains to the Microsoft cloud uh which we call Azure. Uh next that we use in CL in in uh Hawk that you'll see is the exchange online uh PowerShell module and that module allows us uh essentially as a service that enables us to pull back meaningful information from uh M365 uh from the CLI and in this case we use

it for the unified audit log um to pull back those that that data again in a manner of which we want to uh whether you want to correlate that data uh send that data elsewhere right so essentially Microsoft graph and the uh ex the exchange online and here's just a real real brief example of that. So next as I mentioned uh right that covers kind of the first third of this of this talk and this presentation and then what I'm going to do now is pass it over to Paul Navaro. He's going to talk to you about a couple of scenarios that he used with Hawk and how it was operationalized and incident response and he will talk to you a bit

about some of the efforts uh that was teamed up with SIZA and Microsoft to bring about new telemetry. Paul. Yeah, appreciate it, man. Yeah. So, uh, as Lorenzo mentioned, the threat landscape is constantly changing and so there's every day in the news there I think we're kind of desensitized to the fact that the threat actors are doing things and we're all being, you know, things are being compromised. We're just like, oh, another hack, another day we kind of move on. Uh, and a couple years ago, there was a few situations I dive into where basically it led to a partnership between SIZA and Microsoft to create what they've called the uh, uh, advanced logging playbook. And you can Google,

you could use that uh QR code. If you trust me, it'll actually take you to the playbook. Um, briefly, I'm going to briefly describe, I think that playbook's about 26, 30 pages long. Um, I want to give a couple shout outs though for folks that actually worked on that. I got one of my friends, Alicia, here somewhere. She helped work on that. And my buddy Casey also worked on that as well. So, it's a great partnership that put out a lot of uh great knowledge for for uh for the basically the community and for customers of uh M365 and Azure. A couple things that I want to highlight in that playbook that I think is very very important. It is the

um the availability of premium logs bumped down to a uh the standard logging licensing tier. That's important because at one point in time Microsoft was basically shutting out visibility depending on licensing and that is no longer the case. They were able to ex they chose to extend the logs from 90 days to 180 uh in that lower licensing and in the higher licensing you can retain logs up to 365 days. um that logging retention and enablement was uh completed this last June of 2024. Now there are some gotchas which I want to make sure that if you again if you trust me to hit the QR code is there's some gotchas. So you have to in uh actually

enable some of these logs explicitly for users. So as you go through that playbook is very outline very detailed of how what the logs are, how to enable them and actually do some testing to ensure that you actually see them correctly inside of your environment. Um and there's a couple from a broader auditing uh enablement perspective. This is something that had a uh was very frustrating in the past is you have to for the allup auditing to be enabled from your tenant. There's a few types of licensing levels you have to enable explicitly as well. So I highly recommend if you're in a M365 entry ID environment to check out this playbook, read all the details, read the why and

the actual technical details to enable those logs. I'm going to go over a couple of the log types because this is very relevant to the what the so what behind that playbook. Um one of the first lo one of the log types that is very that was new that uh Microsoft made available in M365 was the search query initiated in Exchange. Uh this log type provides an actual log entry in the unified audit log that says hey someone is querying in Exchange. So if you go into Outlook or excuse me, Exchange online and I go to the top where you say search and I search for the word password or I search for the word direct deposit or I search

for any type of word that will actually generate a log now when previously it did not. And so very very helpful. So if you're not collecting that log and it's not enabled for your users, read the uh read the playbook and actually enable that as best you can. Second one is SharePoint. Same concept. If you go into SharePoint which some people here are going to you know have different opinions about SharePoint but nonetheless it still exists and at the top you can query and kind of find files and do all the things and whatever uh that is also a post exploitation opportunity for if you compromise an M365 environment or SharePoint online present you can basically run a query

across all that environment for things are relevant to yourself in this particular scenario the thread actor um so again that that log also has to be manually enabled for a user. Next one is mail items accessed. Very frustrating when early on the days doing M365 incident response and thread hunting. Uh this log did not exist. And so by definition, this is what's fascinating if you kind of go back to the Solar Winds uh post exploitation for from a few years ago. there was the assumption that um that if if I was if the thread actor was in your mailbox that the that the email was red and they were like well Paul how do you know if it's you

know exfiltrated if you don't if you can't see the log by definition if the mail was accessed in red it is it is it is exfiltrated I could have taken a picture of it I could have done all kinds of crazy stuff so just understanding that now that you can see when that item that mail item access has been accessed by definition red and by definition uh exfiltrated that log now currently exists. Uh the next log that's very very important is a uh uh the send log that'll have that'll that the the fields that will be present in there is who it got sent to and who sent it. It's very important from a post exploitation

of if I'm using if I compromise someone's mailbox and try to pivot and you know send mail to somebody else as I'm following the breadcrumbs you will be able to follow those breadcrumbs which are very very helpful in today's investigations and incident response. Uh the last one's teams logs. Again, um you know, teams is complicated and weird. Uh we have not operationalized. We have operationalized all four of those top ones which John will go here in a second. The teams ones we haven't yet uh operationalized yet for the simple fact that is very very noisy and a lot of things happening. But there is uh some TTPs that could be leveraged uh in teams and having understanding that those logs

are present. I think very very important for this crap. I'm only going to do a couple case studies. I can sit here all day and everyone, you know, talk about all kinds of cool like hacks and whatnot. The reason why I'm bringing these two up are very, very important. Uh Mr. Coker this morning was mentioning that, you know, the threat actors are basically, you know, for all intents and purposes in our business every day at every level of uh of organizations all the way down all the way up for government, you know, big uh big companies and obviously small organizations. these two use cases where I use Hawk and some other PowerShell tools uh was very very I think very

relevant to this community and I think you know for for broader why we maintain hawk today. Um I did an incident response or thread hunting engagement where uh there was an uh there was a cheese plant and they or dairy farm and they they happen to make cheese. This they had one IT person on staff. Um this particular organization did use SharePoint online. This was prior to those current logs that I mentioned earlier being present. uh we did some investigation and we're learning we learned that there was a post there was a compromised user and in the post exploitation they were basically going through SharePoint and we could see files downloaded but when we traversed

it we kind of saw like well why are they downloading these files and so after obviously some little uh conversation with the owners they were like oh that's where our recipes are now this particular scenario I will share it was a nation state which was fascinating after Mr. cooker's conversation this morning um that there was a nation state stealing actually recipes from the dairy uh this dairy organization and you're like why would and reason why I use this one all the time is I think it's funny because you could say hey I got to steal the cheese but the uh um but it was really fascinating because they were really curious I'm like hey Paul why

would someone want to steal my recipes and the the premise there is if I steal your recipe I don't have to create it myself and so that's where I think Mr. Croker was hitting on this morning was the fact that everybody's susceptible for you know whether it's you know corporate espionage or whatever and this organization had one IT person with very little knowledge of PowerShell but was able to log in and I was able to walk them through to use Hawk which I thought was very very important and they felt empowered at the time that hey now I have a tool that I can use in my environment with 150 users to detect and hopefully you know protect and detect my

uh my organization. So that's use case one. Second one, similar in nature, a nonprofit organization, medical facility, they could not enable MFA on their uh M365 accounts. Everyone hears, "Oh my god, they're terrible IT people and they're bad organization." Here's why. when you're a nonprofit organization doing medical type of things and you have uh an employee staff that only has flip phones and they don't have the cool MS authenticator and all the Google app authenticator, they weren't able to fully enable MFA for these users because some didn't even have phones. And so when you're a nonprofit, you don't have the time, the ability to start handing out iPhones and teaching everybody to use Apple, you

know, the uh the authenticator. So what they did was they had a post exploitation of one of their uh HR or financial HR people and they created a uh the the thread actor created a mailbox rule was basically filtering for anything the word would direct deposit and what they would did I assumed it was automation that was a hypothesis that I had but they basically defaulted to a a known mailbox in Outlook uh called RSS feeds. So basically what it would do is if the if any if that individual received any mail that had the word direct deposit in it then it would automatically be read without the user seeing it. It would go into the RSS

feeds. Thread actor was able to see it and get the things. What they were doing was they were sending emails to all these employees saying hey um you need to update your direct deposit information send it to me blah blah blah and it would forward back to the HR person and then they were basically compromising direct deposit information. So the two examples I wanted to make sure that I kind of highlight is a this is I'm not talking about like oh I went into Walmart and I showed them how to use this tool. That is not the type of organization that's using this tool. It is the other constituency that I call it that need to protect and detect against

you know threat um you know criminals nation states and people that are genuinely being attacked as Mr. Cooker mentioned this morning. Uh prerequisites for hawk um this is important not because I want to say hey this is like just what you need to do. This is more importantly to understand like the barrier of entry to use this is very very small when the inception of the graph kind of made it slightly more complex because you actually have to do some consenting for PowerShell to access the graph. But nonetheless, if you can run a little bit of PowerShell, you can install a module on an endpoint. If you have a Windows machine that has five uh PowerShell 5.0

and above on it, you can run Hawk. And if you have a little bit of support from your administrative team that actually give you the permissions to run the and if and John will show the website here in a minute of uh what permissions and how to run it. We've done the best we think we the best we can to provide step-by-steps instructions, videos, anything to you do to run this. And if you have organizations or people that are getting into this type of work, uh this is a great place to start. Mr. Butler. All right. Thanks, Paul. All right. All right. So, when it comes to running Hawk, there's a few different investigation types that you can utilize

when running the application. Uh, the first one being a tenant investigation, which is exactly what it sounds like. This is going to pull down logs across your entire tenant to identify any sort of organizational wide risks and changes. We we mentioned this as being looking a mile wide and an inch deep. Uh, to run a a tenant investigation, you'll have once you have Hawk installed, you just simply type in start hawk tenant investigation. The next investigation type is a user investigation. This is typically ran after a tenant investigation because after a tenant investigation, you might find some users of interest or you may have had another security product that flagged a uh a user account as being

compromised or or having some abnormalities with it. And this is where you'd run a user investigation. You can run it against a either a single user or a list of users, a set of users. And this is going to collect a different set of logs than what is collected in your tenant investigation specifically for those user accounts. And the commands to run this is quite simple as well. It's start hawk user investigation. And then with each of these investigations when you're running your tenant investigation, when you're running your user investigation, it's going to run a series of functions uh sequentially either tenantwide functions or user wide or user uh functions. If you don't feel like running a

full-fledged tenant investigation or a full-fledged user investigation, you can also run each of the individual functions inside of Hawk as well. So, if you have some targeted collection needs or you want to customize something yourself, you can go ahead and do that with the each each of the individual functions. We have comprehensive help using the gith function name and we have all these functions listed on our website as well and their purpose. Now, once a tenant investigation is complete, there's going to be a number of artifacts that are dropped to disk, the directory that you specify, and we're going to go over some of those. Now, it's not the all-inclusive list, but again, the all-inclusive list is on

our website, but we'll highlight some of the uh the more important ones, I think, here. So, getting pulled from Entra ID is the Entra ID audit log. And the audit log for Enter ID is kind of what it sounds like. It's going to show you all the logs for all the things that are happening inside of Entra ID. So, the creation of users, the deletion of users, uh MFA uh actions, uh key key signing activities, key rotation activities, whatever you'll find in that Entra ID log is going to be in the audit log. We're also pulling down app consent grants. So, for those of you familiar with Entra, inside of Entra, there are enterprise applications. You can also

create your own custom applications and assign those applications uh specific permissions or grants. With Hawk, we're pulling all of those applications from your tenant down to disk. And then we're also looking at all the assigned permissions to those applications and also doing some uh limited investigative analysis to flag some permissions that might be deemed as high-risk extremely dangerous or overly permissive uh for that one there. Then app consent grants. Uh attackers will like to to utilize this uh legitimate function to uh sometimes they'll gain access to a network, gain access to some credentials, modify a legitimate application uh to give it some excessive permissions to perform some follow on actions that they desire or they may

also register a illegitimate application malicious application without your knowledge and then also give that some uh uh permissions as well that you're unaware of. So this is a quick and easy look at this. This is actually uh a post. So for the Solar Winds compromise, uh some of the end users of Solar Winds that were then compromised as a follow-on uh action to the Solar Winds compromise, some of these uh organizations that were using Solar Winds that were then hacked after the fact. Uh the threat actors went into those organizations, they obtained administrative privileges. They then modified some previously existing uh apps and then enter ID given it mail readad privileges and then from there

having mail readad the attackers are able to monitor emails in going out going throughout the entire organization which is pretty pretty pretty good technique. We're also pulling back risk detections and risky users from entra ID. So those that are not familiar risk detections is a log that's maintained in ID. uh Microsoft is using some uh analytics, some machine learning to identify risk detections and examples of risk detections for identities could be let's say a sign in activity for uh impossible travel. Impossible travel meaning a user has logged in let's say from North Carolina and Seattle at the same time. That's very unlikely that somebody could be doing that legitimately at the same time. So that's

something that is an example of a risk detection or compromised credentials is another risk detection. Risky users is a uh an aggregation of those risk detections that will identify users within your organization that might be considered at risk. So for example, if Paul had, you know, five medium risk detections on his on his account within the last 24 hours, he might be flagged as a risky user inside the risky users log. We're also pulling down a a complete user account inventory as well for those of you that would like to, you know, uh do a inventory of all your users across your organization. on the M365 side of the house. Again, this is not the all- inclusive list.

We're pulling back inbox rules. So running when you're running the tenant investigation, it is only pulling inbox rules for your admin account specifically. It's not every single user across the entire organization because that's pretty noisy. But we're pulling inbox rules for Outlook for inbox rules that are created, inbox rules that are modified, inbox rules that are deleted. So you can catch those things like Paul was talking about with the the cheese plant there. We're also pulling back eiscocovery assignments. Uh so eiscocovery are a set of permissions within uh within the Microsoft cloud that are typically used for legal investigations, legal reviews and security investigations. And this gives uh someone the ability if assigned these eiscocovery rights to uh bulk export

emails across the organization to do deep content searches for specific emails. uh we're pulling those back as well so you can understand which users in your organization are assigned those rights and then do a little look there to see if those are actually legitimate rights or if those users should actually have those assignments. We're also looking at all admin arbback changes across all of M365 as well and kind of highlighting those and some of our logs are pulling back. And then as you can see here, we have a number of M365 tenant configurations that get pulled down in one nice uh fell swoop as well from your admin auto log to transport rules and uh user account

inventories. Now, same thing with your user investigation. There's going to be a whole another set of artifacts that are pulling down for your users that you're investigating. Uh the first one from enter ID is your enter ID sign-in log. That's pulled down for that specific user you're looking at. We're also pulling back a number of uh user configs for that uh user as well. mailbox info, mailbox stats, folder statistics, and cast mailbox info. On the M365 side of the house, the log specifically, uh, now we're pulling down user inbox rules specifically for that user investigating, not every single admin account. Also, auto reply forwarding rules, uh, the signin log specifically for M365 and UI, separated

from enter ID. And then as Paul mentioned, we're also now pulling down mail items access exchange and shareepoint queries as well as send mail which is not listed here and then also all mobile devices that are registered for that particular user. Now when it comes to running Hawk, there are two different modes that you can run. The first one being act interactive mode and this is the mode that has always existed up until 4.0. It still exists but we do have another one. So interactive mode is exactly what it sounds like. You press enter to run your investigation and it's going to prompt you for a series of information. your output directory, your start date for

your investigation, your end date, provides real-time updates to you, and this this is great for ad hoc investigations or if it's your first time using the tool or you're not comfortable uh using in other ways or if you're just trying to learn the tool. The next one, which we added with uh the latest release 4.0, is non-interactive mode, which is what it sounds like. It now allows you to specify command line arguments uh which is suitable for scheduled tasks uh automation or if you want to integrate this with other security tools as well. All right. So, at this point in time, we're going to just step into the demo. We pre-recorded this. Again, as the

previous speaker has said, to avoid the uh the wrath of the demo gods, uh we're going to just show you the pre-recording because we don't trust the internet here or APIs being up all the time. All right. So, for the first part of this uh demo here, we're going to run a tenant investigation. Uh yeah, tenant investigation in interactive mode. First thing you'll see here is some beautiful ASKI art in our latest update as well. And then it's asking the user for their output directory. Here we're going to specify C back slashbsides demo. And the next thing Hawk will do is connect to the Microsoft graph so we can pull those logs from the graph API. Go

ahead and select our account. And the next thing it's going to do is create a subfolder here. And the naming structure for the subfolder is the one you specified here, hawk_you tenant name, and then the date timestamp as well. Hawk's then going to check to see if you have the latest version of Hawk installed, which we do, 4.0. If you don't, it's going to ask you if you'd like to upgrade. So, here we have it installed. Next, Hawk is going to do a nice little check here uh for M to see what sort of M365 license you have because Paul mentioned before, if you have E5, it's 365 days. If if you have a 3 series license, it's 180 days. And

this helps you answer the next question down here below. How far back in time would you like to go to uh start your investigation? You can enter that in a month, day, year, time format, or you can enter that in a number of days. The default is 90 days. If you were to hit enter here in the demo, we're going to just type in 120 days. Hit enter here. And then it's going to ask you for the end date as well. Again, same time form or same uh format. Uh if you press enter, it's going to default to today's date, which is what we do. And the next thing it's going to do is now ask to to connect to Exchange

online. So we can pull pull the logs from N365. It will also show you your configuration summary here, letting you know what version of Hawk you have installed, the file path for your logs, your start date, end date, and then the tenant that you're hunting against. And we also threw in this eagle because we couldn't find a hawk. Uh but it works. It's a bird. It's a bird. All right. So, I'm going to skip fast forward here. That yellow text means you're connected to Exchange online. And then Hawk is kind of off to the races here running each of the tenant level functions uh uh in sequence here. I'm going to pause it real quick just to highlight something

here real quick. So, we call these things here prompt tags. You know, action, info, and investigate. Action is what it sounds like if an action is occurring. Info if info if there's anformational. So, like something being complete. And one of the more important ones here is the investigate prompt tag. So the main purpose of Hawk is again to automate the collection of logs from the Microsoft cloud. But there's also some what we call investigative signals or investigated investigative analytics that we're running against some of these logs as well. And those will be uh uh displayed to you with the investigate tag. This does not mean that you are compromised necessarily. This is just something that may warrant a closer look

once those logs get pulled down. So that's just something to point out there specifically. Also, there's a lot of text wrapping happening here, but this is size 24 font that we used for the uh demo. Um, so it'll look a little cleaner hopefully if you're running it not in size 24. All right, so we're gonna skip forward a little bit here just to save some time. And at the end of your investigation, Hawk will provide you with your investigation summary, how long it took, uh, your tenant, again, the directory that you hunted against. And this is a pretty quick run because this is in a lab test environment. So this is much quicker than uh some larger

organizations. And now during the next part of the demo here, we're going to just quickly run a user investigation, but this time we're going to run a user investigation in non-interactive mode. So I'm going to skip forward just a bit. And just to quickly explain the uh the arguments here, you have the user principle name, which is the user that you're hunting against, which in this case is myself. Uh days to look back is set to 90. uh the file path and then also we're specifying the skip update argument so you're able to not be prompted to update Hawk. All right. And then same thing with your tenant investigation. It'll give you your runtime summary there as

well. Uh just for a quick view. Now that that's complete, we're going to go ahead and pull up some logs that I already saved to disk here. And this is the directory that Hawk went ahead and uh created for us. And what you'll notice here in the root investigation directory are two text files and two folders. So the first text file is hawk.ext and this is just a copy of all the the the logs that are being printed to your screen here. So you can go back in time and reference these after the fact. We also have this investigate.ext file. And this is anytime that the investigate prompt pops up, it's going to be saved here in this separate file

as well. These are going to be some of the more interesting areas to look at. And then you'll notice this tenant folder. This tenant folder is where all of your tenant logs are saved to for your tenant investigation. And then for each and every user that you create that you conduct a hunt against, Hawk is going to create an individual user directory for that user also. So we'll go ahead and take a look at the uh user directory here first. Let me go and hide this. Um so you'll notice a lot of logs here. There's a lot. Um and to talk about the file formats here. So the majority of the logs that we're pulling

back are going to be in a JSON format. So we're saving those to disk as is. And JSON is nice, right? Because if you don't want to just look at a bunch of CSV files, you can take those JSON files, throw them into your seam of choice Elk Splunk Sentinel whatever you have at your disposal. So that's what the JSON is really there for. We also create a CSV representation of all these JSON files as well. Um, and that's that's a nice quick triage, quick initial glance for a user if somebody's not as sophisticated or doesn't really know how to use a seam or has doesn't have that use case. There are individual CSV files there. And there are some text

files that are pulled back as well. Uh that are your configuration files across your organization. So we're going to go ahead and take a look at the mail items access log here real quick. Again, one of the new SIZA one of the new logs from the SISA playbook. We'll look at this uh in JSON. We'll look at the first two in JSON, then look at the last one in in CSV. I'm going to just highlight some of the more important uh fields here within this log. So creation time, of course, that's always always a good field to look at when you're talking about incident response and security events. When was this log created? the unique ID

for that log. We have our operation which is mail items accessed. And then scrolling on down here, of course, another useful one is your client IP address as well as your client info string. The client info string is going to uh let you know where the user uh what application the user was using at the time to log in and check these mail items. So in this case, Outlook web, it could be a desktop application or mobile application depending on where you're logging in from. Another very useful one, if I do a control F here, is the session ID. So the session ID is very useful because this ID is present in the mail items

access log, but it's also present in multiple other log types across the Microsoft cloud. And this allows you to correlate actions from one event in one log to another event in other logs. And this session ID is associated with your enter ID authentication token. So as long as that exists, the session ID will exist uh for this particular log. Uh that's typically up to one hour. or however if you're using refresh tokens that could be I think up to 90 days uh for your session ids if I'm wrong please correct me afterwards all right and then another interesting one here useful one is the operation account how many mail items were accessed is what's indicated here

so here we have four mail items that were accessed and if you want to see which ones were specifically accessed it's these four to the right here under folders folder items you have these four items here that were accessed now you're like what the hell am I looking at um so there is no there's not going to be the uh the content of the email. You're not going to have the the subject line for the email, but what you will have is the internet message ID, which is a unique unique ID associated with that email. Using that internet message ID, you can then look into perview. You can then look into utilizing the graph to pull

down the full contents of that email if you so desire. I'm not plugged in. What's going on here? All right. Where I think you should be good. I'll go and take a look at it. Take a look. Oh, we're good now. Okay. Okay. Good. Apologies there. All right. Power gods. Power gods. Power gods got me. All right. So, the next one we'll look at is the SharePoint searches. This one's a less verbose. There's not as many fields here, but a very, very important log type. Uh, so here it gives you the query source, which is SharePoint. The query text. So, this user here was looking for password. Uh, the scenario name is where they were

searching from. So, here SP home web is the SharePoint homepage. This could also be a number of other values such as mobile or teams. There's a number of other values there that could be set for the scenario name. Uh the user agent string where the the browser the user is using. Uh the user ID of course the client ID and then as well as the creation time are also very all very useful uh pieces of information to look at. There you can see another user was looking for admin and password. So we'll go ahead and get out of here. And now we're going to go back up to the tenant folder and take a look at the consent

grant blocks here. We'll take a look at this in CSV format. And expand all of this. Now, some of the more useful columns in here or fields to look at within uh your app consent grants are the client display name. that is the name of the application with an entry ID itself. Here we have a hawk test app that was supposed to be deleted in February. Um and then still exists and assigned to that right uh one of the useful pieces of information here is the permissions that are assigned to that application. So that hawk app has a number of uh permissions here assigned to it and what hawk's going to do on the right

hand side here is then categorize that those uh the risk associated with those permissions the the uh assumed risk with those permissions. So this could be considered extremely dangerous. This approll assignments because this allows the application to now assign roles to applications across your entire organization which could allow for priv privilege escalations and other nefarious uh acts. There you have another interesting one here high risk at high risk which is your bit locker key read.all. This allows a user using this application to now read all of your Bit Locker keys. If they have access to your Bit Locker keys, they can then decrypt anything that you use to encrypt those particular keys. The ability to

read all your all your all read and write to all your chats. So that's the consent grants there. It also gives you you know what kind of permission types are uh are those applications uh assigned with delegated which is meaning it requires a user's consent to uh to assign those permissions to that app or or assign an indirectly to the app with the application permissions here. All right. So that's that's it for the the logs there. We're going to swing back to the uh the slideshow here. Now, looking forward, what what does the future have in store for Hawk? First and foremost, we look to expand the Hawk developer community. So, if there's anybody here that would love to

contribute to the project, go ahead and submit a poll request or we'll show you the GitHub repo here shortly. Uh if you want to contribute to the the web front end, we do have a web front end. Uh the more the merrier. This is an open source project, so we'd love to have you come and join us. Uh with that, we plan to continue to enhance Hawk. If you're a Hawk user today or if you're a Hawk user tomorrow and you identify some feature requests or some bug fixes that need to be taken care of, go ahead and submit an issue and we again plan to make this a better tool than what it is

today. Lastly, we're establishing a Hawk supporting project known as Hawkeye. The purpose of this project is to uh help automate some of the uh log ingestion ingestion of the JSON logs into uh Elk which is a open source seam and then with that then develop some advanced analytics dashboards uh more on the Elk side to take to uh to provide it over on a seam area uh or seam application and then most importantly uh plan to continue to empower small to medium businesses with enhanced cost-effective Microsoft cloud visibility and security. If you'd like to learn more about Hawk, uh, go ahead and check out our website. This QR code will take you there as well. I'll give

people a second to to scan that if they'd like or take a

picture. I'll switch over to that real quick. This is the website here. Uh, this is all this all got released with 4.0. We wanted to really revamp the website, revamp the documentation, especially with the permissions. Uh, so here it is. Uh if you want to install Hawk, we have a link to the PowerShell gallery. We have it on uh GitHub here as well. A full-fledged user guide from the overview to the installation and the permission setup. Paul touched on permissions lightly, but the permission setup is absolutely key, of course, right, to run hawk, you need the right permissions, and it can be a bit confusing. We do list those permissions here. It's probably going to time out

because the internet is slow, but we do have a full-fledged uh full-fledged uh tutorial section as well on our site with the videos on how to configure those permissions there. So very important if that's confusing at all to anybody go and check out that video or the entire series. And then lastly we also have the about page here. Uh this is where you can connect uh with any of us on stage here uh for we have Paul which is top cyber. We have myself and then Lorenzo and some of the other developers too. There's even a support page. The internet's kind of wonky right now but the support page links to our GitHub as well to submit issues and uh feature

requests. With that, that concludes our presentation and demo, and we'd open the floor up to for questions.

Sir, there.

The question was, is there a more effective way to get a list of all consent grants for all users as opposed to doing it manually? Was that it? Okay. You have anything on that one? Yeah. What was it? More more effective than sorry. Rather than doing a user investigation for every single user. Oh, yes. Okay. There is a Yeah, there is that one. It's an individual module function. Yeah. So, so for every single user, you could take the I guess the user inventory if you wanted to and then and then create a list and then pass it into Hawk and then uh run that individual function to get all the consent grants there. Yeah. Yeah. So that's that's probably the best

approach to that. Yep.

There needs you need to have you can talk permissions. What was the question? Is it a program? Yeah. Yes. Yeah. It's a it's a local application that you can run on your on your box, but your user account needs to have the appropriate uh permissions that are identified in the in the permissions setup. uh page with an entry ID uh M365 and then Azure as well. So when Hawk runs the first time you run it, it's been a minute since I ran it, but the first time you run it, it's gonna it's going to ask you to consent to those those permissions that you that are assigned to your user. Um and then that'll give those permissions to to

Hawk to run. It does. Yep. It's all it's all it's all ran locally. Um like you would download Hawk on your machine power you download PowerShell install the Hawk module and then it's all ran locally on your on your machine rest APIs. No we we we don't we don't manage any servers ourselves. We're just reaching out to uh REST APIs that already exist within the graph within Exchange online services and we're interacting with the with the cloud as it exists today. So no servers running. It's just a that's one of the big things here. Paul, one of the one of the core contributors was like, hey, we need to make this as lightweight, as simple as

possible for users to to stand up. And uh that was like one of the key components going into this when I got brought into the project was those some of those core tenants and core facets. Question. Does that answer your question? We we can we can talk more afterwards as well if you'd like.

I'll let the Microsoft guys talk. Yeah. Yeah. No, very very good question. This is not a Microsoft actual like sponsored tool. This is an like a legit open source tool that happened to be Yeah, we actually have the disclaimer. We never said it. It is not an official tool. It's not supported. Has no SLA has we use the MIT license. uh and we have multiple contributors kind of across industry that's been around for again since 2018 and has kind of built a reputation of like importance due to the fact that not everybody can have all like the Splunks and the oaks and stuff like that. Right. So if you're a large business, yeah, I'm not going to talk about that

here on stage. I can speak to that. Yeah. But yeah, there's there's multiple other like re like solutions, enterprise solutions that depending on the size that real quick. I mean, I'm not a Microsoft employee. I can speak some of my knowledge. I mean, my initial thoughts would be setting up a log analytics workspace. And you can do that with inside of inside of Azure, creating a log analytics workspace. It's a place to kind of send all of your logs and then from that utilizing Sentinel as a seam to connect to to to look at those logs within the analytic workspace. You can set up uh connectors within Sentinel and your log analytics workspace to connect to uh the various platforms that

we're speaking to here today. And in fact uh within the SISA playbook, it talks about how to set up those uh connectors for both Splunk and for Sentinel I believe. Yeah.

Yep.

I I'll go and repeat that question. So the gentleman here has mentioned that he works for an incident response company uh doing M365 investigations. He's currently using the Invictus Extractor Suite which is a tool quite similar to Hawk came out about two years ago I believe. Um however he has noticed some performance degradations and issues running this in larger uh environments and he wants to know if Hawk has uh have we tested Hawk in some of these larger environments. I think you want to jump in. Yeah. So this this was not much. It's it'll it encounter the same performance issues. That's why we scope it down to investigation and users uh and also created some of the new

capabilities so you can actually run it in like automated workflows. But there will be some limitations. That's why small and medium businesses are going to be better. Large enterprise you can pull a lot of the artifacts and telemetry but you're going to get gas because of throttling using PowerShell and a lot of other limitations to the unified auto log which I do recommend. There's some limitations on log pole. So the way we are able to the way we kind of have built the modules we try to confine the time to ensure that we don't miss those but it's not guaranteed in a larger environment because if you have if if that shorter time frame let's say 5

minutes and you have let's say 100,000 events you may drop them. So um very targeted for user that's why we generally start with tenant pull the configuration just kind of get a lay of the land of like okay how many users do we have and then from there you can do targeted investigations. Again, this not a not a highly advised like enterprise tool, but definitely good for fortunately or unfortunately a large population of people who use M365s in Azure. Not everybody is, you know, the larger organizations that can, you know, can use all those high-speed licenses and all of that, uh, all those tools and actually have the resources to actually operationalize them. We have two minutes

before we get yanked. Mr. Langree, because I know your name and I saw you, go ahead. Thanks [Laughter] for den

you could. Yeah. So, one of my TTPs back in the olden days when I was kind of doing a lot of IR hunting was I would actually ask the the admins like, "Hey, you know, who do you you know, who do your highv value what I call highv value users?" because every time I ask for an asset, I'd get like a router name. Uh, and so we would say, hey, what is your highv value users? And they'd be like, oh, like so and so, CEO, person with finance. So what I would do is I would iterate on those users and then run this tool very quick to kind of get a quick triage of like, okay, your high value

users who have permissions u probably, you know, you know, get a quick assessment of like potentially yes or no. Great question. Yes, sir. Is a little more like partial permissions? Is it just SharePoint? The question was what permissions uh related to hawk do you need to run? Um there's if you actually look on the website there's very minimal uh rout uh uh permissions it has like view uh certain uh uh I can't remember off the top of my head but like there's a few exchange online permissions and if you have them you can run the exchange online. So obviously if you if you're not if you don't have the entra ID permissions those functions or modules

will fail but you'll be able to pull the exchange online unified autolog. It's going to look a little I don't know if you'll get a little little red on your screen I think the way we have it configured but you'll be able to pull the artifacts. Yeah and and one of the things we tried to do at least Paul was on the permissions side with all the documentation was really scope this down to the least amount of permissions required. Hawk back in the day I think it was like global admin yolo um that was the documentation before. So Paul did a great job at really scoping this down to the the bare minimal questions that are required. We have got the hook.

I appreciate the questions. Great to see everybody. Thank you. [Applause]