Issue with New-MgSecurityAttackSimulation - Unable to Complete Attack Simulation Creation in Microsoft Defender

[vikingjunior12]

Describe the bug

I'm encountering an issue with the New-MgSecurityAttackSimulation cmdlet in the Microsoft Graph PowerShell SDK. While I am able to initiate the attack simulation, it fails to complete successfully. This issue persists across multiple attempts and environments, with the following details:

Expected behavior

When using the New-MgSecurityAttackSimulation cmdlet to create an attack simulation in Microsoft Defender, I expect the following behavior:

1. The cmdlet should return a 202 Accepted status, indicating the simulation has been successfully queued for processing.
2. The simulation should then transition from a "pending" state to "in progress" and ultimately to "completed" or another final status within a reasonable timeframe.
3. The simulation details, such as ID, status, and completion details, should be accessible, and the simulation should be visible in the Microsoft Defender portal.

In short, after running the command, I expect the simulation to complete successfully and provide feedback on its status, indicating whether it was created and executed as configured.

How to reproduce

Sample PowerShell code to create an attack simulation

$params = @{ displayName = "Test Simulation" "payload@odata.bind" = "https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/{payload-id}" "loginPage@odata.bind" = "https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/{loginPage-id}" "landingPage@odata.bind" = "https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/{landingPage-id}" attackTechnique = "credentialHarvesting" durationInDays = 2 status = "scheduled" createdBy = @{ email = "admin@mydomain.com" } includedAccountTarget = @{ "@odata.type" = "#microsoft.graph.addressBookAccountTargetContent" type = "addressBook" accountTargetEmails = @("user@mydomain.com") } trainingSetting = @{ settingType = "noTraining" } }

Execute the attack simulation creation

$result = New-MgSecurityAttackSimulation -BodyParameter $params -Verbose -Debug

SDK Version

2.24.0

Latest version known to work for scenario above?

2.09.0

Known Workarounds

NO Workaround exist. Nothing works

Debug output

HTTP Method: POST Absolute Uri: https://graph.microsoft.com/v1.0/security/attackSimulation/simulations Headers:

• FeatureFlag : 00000043
• Cache-Control : no-store, no-cache
• User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; de-CH),PowerShell/7.4.6
• SdkVersion : graph-powershell/2.24.0 Body: { "landingPage@odata.bind": "https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/zensored", "payload@odata.bind": "https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/zensored", "loginPage@odata.bind": "https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/zensored, "attackTechnique": "credentialHarvesting", "displayName": "Test49", "createdBy": { "email": "zensored" }, "includedAccountTarget": { "@odata.type": "#microsoft.graph.addressBookAccountTargetContent", "accountTargetEmails": ["zensored@zensored"], "type": "addressBook" }, "trainingSetting": { "settingType": "noTraining" } } Response: Status Code: Accepted Location: https://graph.microsoft.com/v1.0/security/attackSimulation/operations/108655aa-36ba-4618-9f2e-6c3782d2cd25

Configuration

PSVersion 7.4.6 PSEdition Core GitCommitId 7.4.6 OS Microsoft Windows 10.0.22631 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Other information

No response

[vikingjunior12]

The problem is resolved.

The issue resolved itself, though I have no idea why. For about a week, I was unable to start a campaign via the API using either PowerShell or Go. There was no error message. Now, without having changed anything, the script works again, including in Go. I assume Microsoft may have had an issue.