crowdstrike / crt Goto Github PK

This module gets the Exchange Federations and in the report under the "Federation Configuration/Investigative Tips" heading equates that to the SAML Federations (aka Sunburst TTP) - but ADFS (and other federation services trusts) are not the same thing as Exchange Server Federation. Exchange Server Federation is for sharing info cross-forest such as free/busy and contacts.

While running from Azure Cloud Shell:

This make take awhile; please be patient...
[2021-02-26 16:49:48Z] - Retrieving Hidden Mailboxes from Exchange Online
[2021-02-26 16:49:54Z] - Beginning authentication
[2021-02-26 16:49:54Z] - Authenticating to Azure AD
Exception: /home/rodger/CRT-main/Get-CRTReport.ps1:1456
Line |
1456 | throw $_.Exception.Message
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
| The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command name, a script
| block, or a CommandInfo object.

Will functionality be affected by this change on Microsoft's PowerShell cmdlets?

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/important-azure-ad-graph-retirement-and-powershell-module/ba-p/3848270

You should add -ListAvailable to the Get-Module -Name <modulename> commands. Get-Module only returns loaded modules by default, which causes this script to attempt to install modules every time it's run in a new window.

It would be nice to have a signed version of this script for added trust.

I see script is not puling the keycredentials data from application service principles.
I tested via powershell, dont see it there as well.

PS C:\WINDOWS\system32> Get-AzureADServicePrincipal -SearchString test2 | fl -Verbose

DeletionTimestamp :
ObjectId : 1f4f8e15-e30a-4f5a-b390-dc18e08de90f
ObjectType : ServicePrincipal
AccountEnabled : true
AddIns : {}
AlternativeNames : {}
AppDisplayName : test2
AppId : 9a1f9092-521b-415d-b892-c16b50cc2347
AppOwnerTenantId : bc247260-533f-40bb-a788-349ed7e027da
AppRoleAssignmentRequired : False
AppRoles : {}
DisplayName : test2
ErrorUrl :
Homepage :
KeyCredentials : {}
LogoutUrl :
Oauth2Permissions : {}
PasswordCredentials : {}
PreferredTokenSigningKeyThumbprint :
PublisherName : scbdemolab
ReplyUrls : {}
SamlMetadataUrl :
ServicePrincipalNames : {9a1f9092-521b-415d-b892-c16b50cc2347}
ServicePrincipalType : Application
Tags : {WindowsAzureActiveDirectoryIntegratedApp}

But under manifest for the App SP i can see keycredentials is present.

Script can't run and gives the following errors:

At C:\Users\users\Downloads\Get-CRTReport.ps1:170 char:21
+                 Sign up
+                     ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.
At C:\Users\users\Downloads\Get-CRTReport.ps1:197 char:190
+ ... ata-ga-click="(Logged out) Header, go to Features">Features <span cla ...
+                                                                 ~
The '<' operator is reserved for future use.
At C:\Users\users\Downloads\Get-CRTReport.ps1:197 char:261
+ ... ="Bump-link-symbol float-right text-normal text-gray-light">&rarr;</s ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.
At C:\Users\user\Downloads\Get-CRTReport.ps1:211 char:255
+ ... ogged out) Header, go to Customer stories">Customer stories <span cla ...
+                                                                 ~
The '<' operator is reserved for future use.
At C:\Users\user\Downloads\Get-CRTReport.ps1:211 char:326
+ ... ="Bump-link-symbol float-right text-normal text-gray-light">&rarr;</s ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.
At C:\Users\user\Downloads\Get-CRTReport.ps1:212 char:231
+ ... ata-ga-click="(Logged out) Header, go to Security">Security <span cla ...
+                                                                 ~
The '<' operator is reserved for future use.
At C:\Users\gbrakel001\Downloads\Get-CRTReport.ps1:212 char:302
+ ... ="Bump-link-symbol float-right text-normal text-gray-light">&rarr;</s ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.
At C:\Users\user\Downloads\Get-CRTReport.ps1:235 char:222
+ ... a-click="(Logged out) Header, go to Explore">Explore GitHub <span cla ...
+                                                                 ~
The '<' operator is reserved for future use.
At C:\Users\user\Downloads\Get-CRTReport.ps1:235 char:293
+ ... ="Bump-link-symbol float-right text-normal text-gray-light">&rarr;</s ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.
At C:\Users\user\Downloads\Get-CRTReport.ps1:238 char:107
+ ...  text-normal text-mono f5 mb-2 border-lg-top pt-lg-3">Learn &amp; con ...
+                                                                 ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.
Not all parse errors were reported.  Correct the reported errors and try again.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : AmpersandNotAllowed

Suggestion to include on readMe file, if MachinePolicy is RemoteSigned set with GPO use Unblock-File -Path .\Get-CRTReport.ps1 to run the tool

This statement "you must log into the Azure Admin Portal as Global Admin:

https://admin.microsoft.com/AdminPortal/Home#/partners" is not correct, the link does not point to the Azure Admin Portal, it points to the M365 Admin center.

Please correct the text or the link as appropriate

Managing and changing a monolithic script is significantly more cumbersome than one that has been broken into parts. I recommend at the very least breaking each function into its own file (preferably assembled as a module) and each test/report as a separate script. This would leave the launch script as the process at a high level making it easy to see the workflow.

Use -Encoding option in Export-CSV to avoid garbled characters

Export-Csv uses ASCII as the default encoding in PowerShell 5.1, so if we are using multibyte characters, we will get garbled characters. In my environment, I have confirmed that it works correctly by adding "-Encoding Default".

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-csv?view=powershell-5.1

However, this behavior seems to have been changed in PowerShell 6 and later. I tried to check the behavior in PowerShell 7.1, but I did not check the -Encoding behavior because CRT does not work in any place except Export-Csv.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-csv?view=powershell-7

Hi,
script runs okay, and after the saving of one file i get the following:

[2021-12-06 08:22:47Z] - [+] Saving AzureADPSPermissions Report to the path: 'CRT\20211206T1019\Reports\AzureADPSPermissionsReport.csv'
C:\Users\XXXXXXXXXX\CRT\Get-CRTReport.ps1 : The term 'Clear-ActiveToken' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At line:1 char:1
+ .\Get-CRTReport.ps1
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CRTReport.ps1

Any help appreciated!
P.S. thanks for such a great tool!

Hi CrowdStrike,

Cool script, but poor performance with big Office365 environments. Say, the following commands are specified: SMTPForward, FullAccessGranted, AnyAccessGranted, SendAsGranted together. This means script will run
Get-EXOMailbox -ResultSize Unlimited -ErrorAction SilentlyContinue | Get-EXORecipientPermission -ErrorAction Stop 4 times. This works well with small number of mailboxes, but a single execution of this command on, say, 50000 mailboxes will take a few days (believe me) to complete (eventually Microsoft will throttle you and slow down the requests). Your script calls it 4 times which will easily take more than a week (not counting possible auth session expiration when you'll need to restart the script).

My proposal would be first to save mailboxes to a variable like $mailboxes = Get-EXOMailbox -ResultSize Unlimited -ErrorAction SilentlyContinue and same for $permissions = $mailboxes | Get-EXORecipientPermission -ErrorAction Stop and reuse both $mailboxes and $permissions where possible. Let me know if I can contribute to the project!

When running without admin rights under PSv5 while missing one or both of the required modules, it complains that you should run as an admin to allow it to install them. This is unnecessary: they can be installed for just the current user without that by adding -Scope CurrentUser to the Install-Module command. PowerShell 7+ (probably 6 as well, but I never really used that version much) already does this by default.

[2021-01-05 07:51:30Z] - Retrieving Mailbox Delegates where 'Full Access' permission is granted
This make take awhile; please be patient...
[!] We ran into an error retrieving Mailbox Delegates where 'FullAccess' permission is granted. If a report is generated, it may not be complete.
Try using the following command to obtain this report manually:
Get-EXOMailbox -ResultSize Unlimited | Get-EXOMailboxPermission | Where-Object { ($.AccessRights -eq "FullAccess") -and ($.IsInherited -eq $false) -and -not ($.User -like "NT AUTHORITY\SELF")} | Export-Csv "FullAccessPerms.csv" -NoTypeInformation
[2021-01-05 08:01:47Z] - Retrieving Mailbox Delegates where 'Any' permissions are granted
This make take awhile; please be patient...
[!] We ran into an error retrieving Mailbox Delegates where 'Any' permissions are granted. If a report is generated, it may not be complete.
Try using the following command to obtain this report manually:
Get-EXOMailbox -ResultSize Unlimited | Get-EXOMailboxPermission | Where-Object { ($.IsInherited -eq $false) -and -not ($.User -like "NT AUTHORITY\SELF")} | Export-Csv "AnyAssignedPerms.csv" -NoTypeInformation
[2021-01-05 08:04:55Z] - Retrieving Mailbox Delegates where 'Send As' or 'SendOnBehalf' permission is granted
This make take awhile; please be patient...
Cannot validate argument on parameter 'PrimarySmtpAddress'. The argument "" does not match the "[a-zA-Z0-9!#$%*+-/?^.{|}~]+@([a-zA-Z0-9\-]+\.)+[a-zA-Z]{2,4}" pattern. Supply an argument that matches "[a-zA-Z0-9!#$%*+\-/?^_.{|}~]+@([a-zA-Z0-9-]+.)+[a-zA-Z]{2,4}" an
d try the command again.
At Redacted\CrowdStrike_Reporting_Tool_for_Azure\CRT-main\Get-CRTReport.ps1:1081 char:13

•         throw $_.Exception.Message
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (Cannot validate... command again.:String) [], RuntimeException
  • FullyQualifiedErrorId : Cannot validate argument on parameter 'PrimarySmtpAddress'. The argument "" does not match the "[a-zA-Z0-9!#$%*+-/?^_.{|}~]+@([a-zA-Z0-9\-]+\.)+[a-zA-Z]{2,4}" pattern. Supply an argument that matches "[a-zA-Z0-9!#$%*+\-/?^_.{|}~]+@([a-z
    A-Z0-9-]+.)+[a-zA-Z]{2,4}" and try the command again.

Seeing System.Object[] populating as a value in the FullAccessPerms.csv.
Curious as to what the cause is?

PS C:\Scripts> .\Get-CRTReport.ps1
At C:\Scripts\Get-CRTReport.ps1:96 char:4

• 95 Param (

Unexpected token 'Param' in expression or statement.
At C:\Scripts\Get-CRTReport.ps1:97 char:8

• 96 [Switch]$BasicAuth,

•    ~~~~~~~~~~~~~~~~~~
  

Unexpected token '[Switch]$BasicAuth' in expression or statement.
At C:\Scripts\Get-CRTReport.ps1:97 char:3

• 96 [Switch]$BasicAuth,
• ~
  Missing closing ')' in expression.
  At C:\Scripts\Get-CRTReport.ps1:102 char:5
• 101 );

• ~
  

Unexpected token ')' in expression or statement.
At C:\Scripts\Get-CRTReport.ps1:111 char:5

• 108 Function Out-Summary {

• ~~~~~~~~
  

Unexpected token 'Function' in expression or statement.
At C:\Scripts\Get-CRTReport.ps1:112 char:9

• 109 Param

•     ~~~~~
  

Unexpected token 'Param' in expression or statement.
At C:\Scripts\Get-CRTReport.ps1:113 char:9

• 110 (

•     ~
  

Unexpected token '(' in expression or statement.
At C:\Scripts\Get-CRTReport.ps1:114 char:13

• 111 [string]$string,

•         ~~~~~~~~~~~~~~~
  

Unexpected token '[string]$string' in expression or statement.
At C:\Scripts\Get-CRTReport.ps1:114 char:4

• 111 [string]$string,
• ~
  Missing closing ')' in expression.
  At C:\Scripts\Get-CRTReport.ps1:114 char:14
• 111 [string]$string,

•          ~
  

Array index expression is missing or not valid.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken

[2021-06-02 00:49:21Z] - Retrieving Mailbox Delegates where 'Send As' or 'SendOnBehalf' permission is granted
Press any key to skip this module...
Running module...
This make take awhile; please be patient...
Cannot validate argument on parameter 'PrimarySmtpAddress'. **The argument "ray.pare'@domain.com" does not match the "[a-zA-Z0-9!#$%*+-/?^_.{|}~]+@([a-zA-Z0-9\-]+\.)+[a-zA-Z]{2,4}" pattern**. Supply an argument that matches "[a-zA-Z0-9!#$%*+\-/?^_.{|}~]+@([a-zA-Z0-9-]+.)+[a-zA-Z]{2,4}" and try the command again.
At D:\temp\Get-CRTReport.ps1:1154 char:13

•         throw $_.Exception.Message
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (Cannot validate... command again.:String) [], RuntimeException
  • FullyQualifiedErrorId : Cannot validate argument on parameter 'PrimarySmtpAddress'. The argument "ray.pare'@domain.com" does not match the "[a-zA-Z0-9!#$%*+-/?^_.{|}~]+@([a-zA-Z0-9\-]+\.)+[a-zA-Z]{2,4}" pattern. Supply an argument that matches "[a-z A-Z0-9!#$%*+\-/?^_.{|}~]+@([a-zA-Z0-9-]+.)+[a-zA-Z]{2,4}" and try the command again.

Was able to confirm that global reader/Exchange admin is all that's required for pulling 'Send As' or 'SendOnBehalf' fields.

Additionally, 'AccessRights' field does not properly output in json or csv. Object type and length returned instead of value:
csv output: "

System.Collections.Generic.List`1[Microsoft.Exchange.Management.AdminApiProvider.RecipientAccessRight]

"

json output: "AccessRights": [
1
]

Hi!
thx for great and comprehensive tool - but please - add a note to release notes (readme) that this can only be run on Windows powershell.
I tried to run this on macos Mojave as well as Fedora (all modules in pwsh installed) but still ending with error:

Import-Module: Could not load file or assembly 'System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'. The system cannot find the file specified.

Based on my little search the System.Windows.Forms is not and will not be a part of powershell core. Or - scrpt needs to be completely rewritten for using Az instead of AzureAD

Thank you.

We ran into an issue, "[redacted] doesn't represent a unique recipient," during the Mailbox Delegation retrieval because a few of our users created Bookings calendars with their email addresses in the display name.

We can work with the users to update the names to acceptable values but heads up. Thanks!

Hi
I would like to know on which source are the listed checks is based on (AD & O365) and if there is an option to grant lower privilege than Global admin (for example Global reader) and still have the same results as with the global admin privilege.

BR

With the actual line 1
#Requires -Module ExchangeOnlineManagement,AzureAD
If you don't have the modules already installed the script's execution fail with the following error

.\Get-CRTReport.ps1 : The script 'Get-CRTReport.ps1' cannot be run because the following modules that are specified by the "#requires" statements of the script are missing: ExchangeOnlineManagement.
At line:1 char:1
+ .\Get-CRTReport.ps1
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (Get-CRTReport.ps1:String) [], ScriptRequiresException
    + FullyQualifiedErrorId : ScriptRequiresMissingModules

Commenting or removing the first line resolve the issues.

Separating AzureAD and O365 Enumeration increases testing flexibility.

I cannot authenticate to exchange online using this tool, seems to have something to do with the fact my tenant is utilizing ADFS? Is this a known issue?

Apologies, im new to this.
Is there a miss-type on line 1085:

$DelegatesSendPerms += Get-EXOMailbox -ResultSize Unlimited | Where-Object {$_.GrantSendOnBehalfTo -ne $null}

should it be: '$Delegate...' and NOT '$Delegates...' (there seems to be an extra 's' )

If i've screwed up reporting this, im sorry
Kind regards
Lars

Windows 10 > Run As Admin > Same error connecting to Connect-ExchangeOnline

PS C:\WINDOWS\system32> $UserCredential = Get-Credential
PS C:\WINDOWS\system32> Connect-MsolService -credential $usercredential
PS C:\WINDOWS\system32> cd d:\temp
PS D:\temp> .\Get-CRTReport.ps1
[2020-12-26 23:38:04Z] - Checking for PowerShell module prerequisites
NOTE: Using default authentication. This method will prompt you for login credentials 3 times.
[2020-12-26 23:38:09Z] - Beginning authentication
[2020-12-26 23:38:09Z] - Authenticating to Exchange Online
A parameter cannot be found that matches parameter name 'ShowBanner'.
At D:\temp\Get-CRTReport.ps1:406 char:9

•     throw $_.Exception.Message
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (A parameter can...e 'ShowBanner'.:String) [], RuntimeException
  • FullyQualifiedErrorId : A parameter cannot be found that matches parameter name 'ShowBanner'.

The report just stores the result of Get-Users -ResultSize Unlimited and then outputs the count as being the enabled total in the summary report
There's no filter of the dataset where RemotePowerShellEnabled -eq $True
It also includes Guest accounts and disabled accounts so should these be disregarded or counted separately?
Maybe the mail recipient type would be useful in the output csv

Good example:
https://github.com/adrecon/AzureADRecon

Hey all, when I try to run the script I receive two main errors, logged several times throughout.

Examples:

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as
part of a string.
At C:\CRT\Get-CRTReport.ps1:197 char:190

• ... ata-ga-click="(Logged out) Header, go to Features">Features <span cla ...

The '<' operator is reserved for future use.
At C:\CRT\Get-CRTReport.ps1:197 char:261

• ... ="Bump-link-symbol float-right text-normal text-gray-light">→</s ...