Cant no longer change OWA's signature
Hello all, I am trying to update my Outlook Web's signature with Powershell, like I always do, with the "Set-MailboxMessageConfiguration" command, but the signature is not updated. But "Get-MailboxMessageConfiguration" shows that the new signature is there OWA allows now for some people/organitations to manage multiple signatures, but I can't find any documentation/information about that. So, how I can modify the already existing signature? Or, how I can create a new signature?Threat Hunting with PowerShell - Security even with a small budget - there is no excuse!
Dear Threat Hunter, Lack of IT security is often excused by little or no available money. In my view, this is a very poor excuse. In this article I will try to give you a jump start on how to investigate threats with PowerShell. Is this a comprehensive and conclusive list of how you can find or detect threats/threats? NO, absolutely not. But it is meant to provide you with the support that you need to move forward on your own. Let's talk about the "general conditions": 1. If you use the PowerShell scripts I show/explain in this article, this is entirely your responsibility. I use the scripts in different situations, they are not dangerous, but you should already know what you are doing. 2. Written permission! If you are not sure if you are allowed to do an investigation, organize a written permission from your supervisor. 3. In the different scripts I sometimes (for this article deliberately) use standard search words like "malware", "malicious", "hacker" etc. Such search patterns/search words need to be customized, of course. These simply serve as an example. 4. The last part of the article examines some Microsoft cloud services. I am absolutely aware that there are a huge number of tools for hunting in the Microsoft cloud services. It starts with Azure Sentinel and continues with Cloud App Security. Since the focus is on a small budget, I'll leave those tools on the side. Introduction: So first, why should you use PowerShell for threat hunting? PowerShell is a useful threat hunting tool because it is a powerful scripting language and a platform for automating tools and accessing data across any Windows environment. It allows you to quickly gather information from various sources such as event logs, registries, files, and processes. Additionally, it can also be easily integrated with other tools and technologies making it a flexible and efficient tool for threat hunting. Some common use cases for PowerShell in the threat hunting environment include automated collection of log data, identification of unusual behavior anomalies in the system, the discovery of malware or malicious activity by known signatures or patterns or behaviors. These are just a few examples of how PowerShell can be used in a threat hunting capacity. Its versatility and ability to access and manipulate data from across the Windows environment make it a very valuable tool for any security professional. Threat Hunting in PowerShell - Use Cases: All right. So now that we understand where PowerShell can benefit an organization from a threat hunting perspective. Let's take a deeper look at some of the actual use cases you might encounter on a day to day basis, first being identify malicious processor files. So specifically, you can conduct raw file analysis to sift through different data shares to look for particular files in question whether that be a signature or even an extension of a certain file being able to quickly search and triage through files is an extreme benefit of using PowerShell for threat hunting. But how exactly do we start, what can we use as a guide? For example, the MITRE ATT&CK Framework. Here are a few examples: Indicator Removal: Clear Windows Event Logs https://attack.mitre.org/techniques/T1070/001/ Event Triggered Execution: Installer Packages https://attack.mitre.org/techniques/T1546/016/ Hide Artifacts: NTFS File Attributes https://attack.mitre.org/techniques/T1564/004/ Command and Scripting Interpreter: PowerShell https://attack.mitre.org/techniques/T1059/001/ Command and Scripting Interpreter: Windows Command Shell https://attack.mitre.org/techniques/T1059/003/ Event Triggered Execution: Windows Management Instrumentation Event Subscription https://attack.mitre.org/techniques/T1546/003/ Credentials from Password Stores: Windows Credential Manager https://attack.mitre.org/techniques/T1555/004/ Abuse Elevation Control Mechanism: Bypass User Account Control https://attack.mitre.org/techniques/T1548/002/ The MITRE ATT@CK framework provides a comprehensive and regularly updated overview of tactics, techniques, and procedures (TTPs) used by various threat actors. We can locate these TTPs using PowerShell, here are a few examples: Indicator Removal: Clear Windows Event Logs https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Active_Directory/06_Account_Events.ps1 Event Triggered Execution: Installer Packages https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Tactics_Techniques_Procedures_(TTPs)/08_Get-ItemProperty_Software.ps1 Hide Artifacts: NTFS File Attributes https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Tactics_Techniques_Procedures_(TTPs)/08_Get-ItemProperty_Software.ps1 Windows Installer Service is running https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Tactics_Techniques_Procedures_(TTPs)/01_WIS_is_running.ps1 Search Alternate Data Streams on NTFS File Systems https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Tactics_Techniques_Procedures_(TTPs)/02_Search_ADS_on_NTFS%20_(specific%20file).ps1 https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Tactics_Techniques_Procedures_(TTPs)/03_Search_ADS_on_NTFS_file_systems.ps1 Read the Contents of a File https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Tactics_Techniques_Procedures_(TTPs)/06_Read_the_contents_file.ps1 Locating Data Patterns within a File https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Tactics_Techniques_Procedures_(TTPs)/05_locating_data_patterns_within_file.ps1 Search for Encoding with Regex https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Tactics_Techniques_Procedures_(TTPs)/07_Search_encoding_with_regex.ps1 Search for Command and Scripting Interpreter: https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Tactics_Techniques_Procedures_(TTPs)/04_Searching_for_PIDs.ps1 Threat hunting in different environments with PowerShell: Coming examples are about collecting information in very different environments. Also here a few examples as a kind => as first starting points: Hunt for Threats in Active Directory: https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Active_Directory/01_Resetting_Password_Unlocking_Accounts.ps1 https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Active_Directory/02_Search_stale_accounts.ps1 https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Active_Directory/03_Users_without_Manager.ps1 https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Active_Directory/04_Password_Expiration.ps1 https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Active_Directory/05_Group_Membership_Report.ps1 https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Active_Directory/06_Account_Events.ps1 https://github.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/blob/main/PowerShell/Tracking_the_Source_of_Account_Lock_Outs_and_Bad_Passwords.ps1 https://github.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/blob/main/PowerShell/Finding_Unused_Group_Policy_Objects.ps1 Some of the scripts are structured in such a way that they must be executed block by block/line by line. So do not execute the whole script at once. Pay attention to the different information that is collected. With some investigations in the Active Directory accounts can be indicated like "guest" or "krbtgt", there must be clear of course how this information is to be estimated. Depending on how and what information is searched. Hunt for Threats in Exchange Online: https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Exchange_Online/Exchange_Mailbox_LastLogin.ps1 Find mailboxes with the last login. Hunt for Threats in Azure: https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Azure/Collect_vms_subscription.ps1 We search Azure for all virtual machines in a subscription. https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_Azure/02_Graph_Create_Time_Last_Password.ps1 When was the last password change and when were the accounts created? Hunt for Threats in SharePoint: https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/blob/main/Hunting_SharePoint_Online/SharePoint_Online_specific_files.ps1 With this script we search for files with the extension .ps1 in a SharePoint Online page. Summary: Is this the best tactic to hunt for threats? No! There are many different tactics/techniques to search for threats. First of all, there are a huge number of different tools that can be used, for example SIEM/SOAR (Security Information and Event Management/Security Orchestration, Automation and Response). These tools are really great, sometimes cost a lot and often it takes a lot of knowledge to use such tools. But what is the use of such tools if the information generated by these tools cannot be understood properly, not very much. For this reason, I have tried in this article with simple tools to generate information that hopefully can be interpreted. Is finished here at this point. NO, the journey continues. The examples in this article are neither exhaustive nor complete, but they should give you a starting point. I hope you can build on this foundation. I hope that this information is helpful to you and that you have received a good "little" foundation. But I still hope that this information is helpful for you. Thank you for taking the time to read the article. Happy Hunting, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
Part 6 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!
Dear Microsoft Azure and Microsoft 365 Friends, This article continues with the topic Microsoft Graph PowerShell SDK. Part 1 to 5 can be found here: https://techcommunity.microsoft.com/t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3300352 https://techcommunity.microsoft.com/t5/windows-powershell/part-2-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3302366 https://techcommunity.microsoft.com/t5/windows-powershell/part-3-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3339696 https://techcommunity.microsoft.com/t5/windows-powershell/part-4-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3409310 https://techcommunity.microsoft.com/t5/windows-powershell/part-5-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3442453 This article is about connecting to SharePoint Online. Remember: Connections to the Microsoft Graph are protected by one or more permission scopes. Service Scopes: Exchange Online Mail and Calendar SharePoint Online (Focus in this article) Files and Sites Microsoft Teams Teams, Channels, Chats and Members Files Delegated Permissions: Files.Read Allows reading the signed-in user's files Files.Read.All Allows reading all files the signed-in user can access Files.ReadWrite Allows creating, reading, updating, and deleting the signed-in user's files Files.ReadWrite.All Allows creating, reading, updating, and deleting all files the signed-in user can access Files.Read.Selected Allows reading files that the user selects Files.Read.Selected.All Allows reading and writing files that the user selects Files Application Permissions: Files.Read.All Allows reading all files in all site collections without a signed in user Files.ReadWrite.All Allows creating, reading, updating, and deleting all files in all site collections without a signed in user Sites Delegated Permissions: Sites.Read.All Allows reading documents and list items in all site collections on behalf of the signed-in user Sites.ReadWrite.All Allows editing or deleting documents and list items in all site collections on behalf of the signed-in user Sites.Manage.All Allows managing and creating lists, documents, and list items in all site collections on behalf of the signed-in user Sites.FullControl.All Allows full control to SharePoint sites in all site collections on behalf of the signed-in user Sites Application Permissions: Sites.Read.All Allows reading documents and list items in all site collections without a signed in user Sites.ReadWrite.All Allows editing or deleting documents and list items in all site collections without a signed in user Sites.Manage.All Allows managing and creating lists, documents, and list items in all site collections without a signed in user Sites.FullControl.All Allows full control to SharePoint sites in all site collections without a signed in user Sites.Selected Allow the application to access a subset of site collections without a signed in user Connecting to SharePoint Online #Install into the Current User Scope Install-Module Microsoft.Graph -Scope CurrentUser #Verify the Installation Get-InstalledModule Microsoft.Graph #If needed Import-Module Microsoft.Graph #Connection for Creating, Reading, Updating, and Deleting Files $scopes = @("Files.ReadWrite.All") Connect-MgGraph -Scopes $scopes #Connection for Managing Sites $scopes = @("Sites.Manage.All") Connect-MgGraph -Scopes $scopes #Core Connection for Managing Sites and Files $scopes = @("Files.ReadWrite.All","Sites.FullControl.All") Connect-MgGraph -Scopes $scopes So that's it again for part 6, we'll see you again in the next part! A little preview, in the next part we'll talk about Microsoft Teams in the Microsoft Graph. See you soon. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler
Microsoft Graph Sign in Log Script
Hi all, I'm trying to create a script that will check sign ins based on the location. How ever the location always appears as 'Microsoft.Graph.PowerShell.Models.MicrosoftGraphSignInLocation'. I am able to see the location if I select the property 'location' by itself and expand the property, but then that only show's a list of the locations. If I add other properties, it either doesn't work or it displays like this: I tried exporting as a csv and the location column values showed up as 'Microsoft.Graph.PowerShell.Models.MicrosoftGraphSignInLocation'. This is what I have currently: Get-MgAuditLogSignIn -Filter "location/countryOrRegion eq 'AU'" -Top 10 | format-list And if I try selecting properties (I would add more properties later, this is just an example: $properties = 'location, userprincipalname' Get-MgAuditLogSignIn -All -Filter "location/countryOrRegion eq 'AU'" -Top 10 -Property $properties | Select -ExpandProperty $properties Has anyone tried something similar?Part 8 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!
Dear Microsoft Azure and Microsoft 365 Friends, This article continues with the topic Microsoft Graph PowerShell SDK. Part 1 to 7 can be found here: https://techcommunity.microsoft.com/t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3300352 https://techcommunity.microsoft.com/t5/windows-powershell/part-2-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3302366 https://techcommunity.microsoft.com/t5/windows-powershell/part-3-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3339696 https://techcommunity.microsoft.com/t5/windows-powershell/part-4-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3409310 https://techcommunity.microsoft.com/t5/windows-powershell/part-5-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3442453 https://techcommunity.microsoft.com/t5/windows-powershell/part-6-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3923379 https://techcommunity.microsoft.com/t5/windows-powershell/part-7-manage-azure-and-microsoft-365-with-the-microsoft-graph/td-p/3924070 This article is now about doing some tasks with the Microsoft Graph. We work in Microsoft Teams, create a new team, channel, and add a member as an owner. Create a new Team: #Core Connection for Managing Teams $scopes = @( "Team.Create" "TeamSettings.ReadWrite.All" "TeamsTab.ReadWrite.All" "TeamsTab.Create" "TeamMember.ReadWrite.All" "Group.ReadWrite.All" "GroupMember.ReadWrite.All" ) Connect-MgGraph -Scopes $scopes #Retrieve Microsoft 365 Group and Team $group = Get-MgGroup -Filter "DisplayName eq 'Cardano'" Get-MgTeam -TeamId $group.Id #Create a New Team New-MgTeam -AdditionalProperties @{ "email address removed for privacy reasons" = "https://graph.microsoft.com/v1.0/teamsTemplates('standard')"; "displayName" = "Ethereum"; "description" = "Ethereum Team"; } #List the new Microsoft Team $group = Get-MgGroup -Filter "DisplayName eq 'Ethereum'" Get-MgTeam -TeamId $group.Id Create a new Channel in the new Team: #Create a Team Channel $group = Get-MgGroup -Filter "DisplayName eq 'Ethereum'" $team = Get-MgTeam -TeamId $group.Id $channelname = "Traders" $channeldescription = "Ethereum Traders" $channel = New-MgTeamChannel -TeamId $team.Id -DisplayName $channelname -Description $channeldescription #List the new Team Channel Get-MgTeamChannel -TeamId $team.Id -ChannelId $channel.Id Add a member to the new team as an owner: #Retrieve User Details $email = "email address removed for privacy reasons" $user = Get-MgUser -UserId $email #Retrieve Team and Add an Owner $group = Get-MgGroup -Filter "DisplayName eq 'Ethereum'" $team = Get-MgTeam -TeamId $group.Id $ownerproperties = @{ "@odata.type" = "#microsoft.graph.aadUserConversationMember"; "email address removed for privacy reasons" = "https://graph.microsoft.com/beta/users/" + $user.Id } $role = "owner" New-MgTeamMember -TeamId $team.Id -Roles $role -AdditionalProperties $ownerproperties #Retrieve Team Member and Owner for the Team Get-MgTeamMember -TeamId $team.Id | Select-Object -Property Roles,DisplayName Update some properties: #Lets update some properties $params = @{ MemberSettings = @{ AllowCreateUpdateChannels = "true" #<TrueOrFalse> } MessagingSettings = @{ AllowUserEditMessages = "true" #<TrueOrFalse> AllowUserDeleteMessages = "false" #<TrueOrFalse> } FunSettings = @{ AllowGiphy = "true" #<TrueOrFalse> GiphyContentRating = "moderate" #<ModerateOrStrict> } } Update-MgTeam -TeamId 97d4ea74-1b57-4457-b172-182d7a5d5aa5 -BodyParameter $params So that's it again for part 8, we'll see you again in the next part! A little preview, in the next part we'll Converting Existing PowerShell Scripts. See you soon. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechslerPart 7 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!
Dear Microsoft Azure and Microsoft 365 Friends, This article continues with the topic Microsoft Graph PowerShell SDK. Part 1 to 6 can be found here: https://techcommunity.microsoft.com/t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3300352 https://techcommunity.microsoft.com/t5/windows-powershell/part-2-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3302366 https://techcommunity.microsoft.com/t5/windows-powershell/part-3-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3339696 https://techcommunity.microsoft.com/t5/windows-powershell/part-4-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3409310 https://techcommunity.microsoft.com/t5/windows-powershell/part-5-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3442453 https://techcommunity.microsoft.com/t5/windows-powershell/part-6-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3923379 This article is about connecting to Microsoft Teams. Remember: Connections to the Microsoft Graph are protected by one or more permission scopes. Service Scopes: Exchange Online Mail and Calendar SharePoint Online Files and Sites Microsoft Teams (Focus in this article) Teams, Settings, Tabs and Members Teams Delegated Permissions: Team.ReadBasic.All Read the names and descriptions of teams, on behalf of the signed-in user Team.Create Create teams, on behalf of the signed-in user Teams Application Permissions: Team.ReadBasic.All Get a list of all teams, without a signed-in user Team.Create Create teams, without a signed-in user Teamwork.Migrate.All Creating and managing resources for migration to Microsoft Teams Team Delegated Settings Permissions: TeamSettings.Read.All Read team settings, on behalf of the signed-in user TeamSettings.ReadWrite.All Read and change all team settings, on behalf of the signed-in user Team Application Settings Permissions: TeamSettings.Read.All Read team settings, without a signed-in user TeamSettings.ReadWrite.All Read and change all team settings, without a signed-in user Team Delegated Tabs Permissions: TeamsTab.Read.All Allows reading Teams apps that are installed for the signed-in user, and in all teams the user is a member of TeamsTab.ReadWrite.All Allows reading, installing, upgrading, and uninstallation of Teams apps, on behalf of the signed-in user and for teams the user is a member of TeamsTab.Create Allows creation of tabs in any team in Microsoft Teams, on behalf of the signed-in user Team Application Tabs Permissions: TeamsTab.Read.All Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user TeamsTab.ReadWrite.All Read and write tabs in any team in Microsoft Teams, without a signed-in user TeamsTab.Create Allows creation of tabs in any team in Microsoft Teams, without a signed-in user Team Delegated Member Permissions: TeamMember.Read.All Read the members of teams, on behalf of the signed-in user TeamMember.ReadWrite.All Add and remove members from teams, on behalf of the signed-in user Team Application Member Permissions: TeamMember.Read.All Read the members of all teams, without a signed-in user TeamMember.ReadWrite.All Add and remove members from all teams, without a signed-in user Connecting to Microsoft Teams: #Install into the Current User Scope Install-Module Microsoft.Graph -Scope CurrentUser #Verify the Installation Get-InstalledModule Microsoft.Graph #If needed Import-Module Microsoft.Graph #Connection for Creating a Team $scopes = @("Team.Create") Connect-MgGraph -Scopes $scopes #Connection for Configuring Team Settings $scopes = @("TeamSettings.ReadWrite.All") Connect-MgGraph -Scopes $scopes #Connection for Configuring Team Tabs $scopes = @("TeamsTab.Create","TeamsTab.ReadWrite.All") Connect-MgGraph -Scopes $scopes #Connection for Managing Team Members $scopes = @("TeamMember.ReadWrite.All") Connect-MgGraph -Scopes $scopes #Core Connection for Managing Teams $scopes = @( "Team.Create" "TeamSettings.ReadWrite.All" "TeamsTab.ReadWrite.All" "TeamsTab.Create" "TeamMember.ReadWrite.All" "Group.ReadWrite.All" "GroupMember.ReadWrite.All" ) Connect-MgGraph -Scopes $scopes #Did it work? $group = Get-MgGroup -Filter "DisplayName eq 'Cardano'" Get-MgTeam -TeamId $group.Id So that's it again for part 7, we'll see you again in the next part! A little preview, in the next part we'll perform some online tasks with the Microsoft Graph. See you soon. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on Github! https://github.com/tomwechsler
Group Based Licensing in 365
So I have recently been setting up GBL on my tenant, I am trying to run a script so I can check all licenses applied to a SKU, I need to see the UPN, Sku (Product Name), If the license is directly assigned or if it's assigned by a group, if by a group, what group (name)? I found this script online yesterday, it worked ok last yesterday, but today, the direct or group assigned is blank, no changes have been made. $skuId = "CompanyName:POWER_BI_PRO" #find all users that have the SKU license assigned $details = Get-MsolUser -All | where {$_.isLicensed -eq $true -and $_.Licenses.AccountSKUID -eq $skuId} | select ` UserPrincipalName, ` @{Name="SkuId";Expression={$skuId}}, ` @{Name="AssignedDirectly";Expression={(UserHasLicenseAssignedDirectly $skuId)}}, ` @{Name="AssignedFromGroup";Expression={(UserHasLicenseAssignedFromGroup $skuId)}} $details | export-csv -path "c:\temp\ps output\$file" -NoTypeInformation Anyone have a script or can provide the missing elements to complete this?
