search

T0pCyber / hawk

Powershell Based tool for gathering information related to O365 intrusions and potential Breaches
https://cloudforensicator.com/
MIT License
667 stars 108 forks source link

Connect-MGGraph error after executing Start-HawkTenantInvestigation #123

Open blueteamcoffee opened 2 weeks ago

blueteamcoffee commented 2 weeks ago

Describe the bug

  1. Manually installed

  1. Successfully Connected to Azure viaConnect-AzureAD

  2. Successfully connecte to EXO via Connect-ExchangeOnline

  3. Started investigation via Start-HawkTenantInvestigation --> error came up regarding Connect-MGGraph:

PS C:\temp> Start-HawkTenantInvestigation
Initializing Application Insights
Checking for latest version online
Found Version 3.1.0 Online
Latest Version Installed
Skipping Upgrade
Testing Graph Connection
Connecting to MGGraph using MGGraph Module
Connect-MGGraph : Could not load file or assembly 'file:///C:\Program
Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.5.0\netFramework\Azure.Core.dll' or one of its
dependencies. The system cannot find the file specified.
At line:30 char:9
+         Connect-MGGraph -Scopes "User.Read.All","Directory.Read.All"
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Connect-MgGraph], FileNotFoundException
    + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph

Select-MgProfile : The term 'Select-MgProfile' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:31 char:9
+         Select-MgProfile -Name "v1.0"
+         ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Select-MgProfile:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Setting Up initial Hawk environment variable

        DISCLAIMER:
        [...]

        [...]

Do you agree with the above disclaimer?
[Y] Yes  [N] No  [?] Help (default is "Y"): y

Please provide an output directory: C:\temp\Hawk
Get-MGDomain : One or more errors occurred.
At line:81 char:9
+         [string]$TenantName = (Get-MGDomain | Where-Object {$_.isDefa ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-MgDomain_List], AggregateException
    + FullyQualifiedErrorId : System.AggregateException,Microsoft.Graph.PowerShell.Cmdlets.GetMgDomain_List

PS C:\temp>

To Reproduce Steps to reproduce the behavior: Repeat steps 1-4

Expected behavior Since the error is about a missing file, providing a dependency or additional module installation tip would be usefull.

Additional context Installed the modules not withinstall-module, but with install-psresource

devallllll commented 2 weeks ago

Could you update the instructions to using Microsoft.Graph? - I am also really struggling with this and have a few questions Right now my solution is to remove and reinstall all the modules each time I want to use Hawk :(

syne0 commented 2 weeks ago

HAWK only works with the below listed versions of the needed modules: MSOnline 1.1.183.66 (yes it's deprecated, but HAWK still fails without it) ExchangeOnlineManagement 3.4.0 (not sure if 3.5.0 works) AzureAD 2.0.2.180 Microsoft.Graph 1.28.0 (not sure if 1.29.0 works) RobustCloudCommand 2.1.0

If you require other versions of the above modules, then you'll need to import them as needed.

blueteamcoffee commented 2 weeks ago

Thx, I will try the next days and report!

blueteamcoffee commented 2 weeks ago

It works now, thanks. Beneath the issue of the old(but right) versions there was also a client-side permissions-issue on my windows client.

devallllll commented 2 weeks ago

It works now, thanks. Beneath the issue of the old(but right) versions there was also a client-side permissions-issue on my windows client.

I think this is why I had to uninstall and reinstall all the components - I'm still messing with a PS deployment script