-
-
Notifications
You must be signed in to change notification settings - Fork 2
Running Osprey
The bulk of Osprey can be ran with 3 commands.
Start Osprey initializes the Osprey session. It will automatically prompt you to do the following:
- Consent to the EULA (Should do this once per install. If this is not the behavior, please open an Issue!)
- Connect to Exchange Online and Microsoft Graph PowerShell
- Set the path that you wish Osprey to put files into
- Choose the investigation range
If everything has gone well, Osprey should be initialized and ready to run more commands.
If you rerun Start-Osprey in the same PowerShell session, you will be given some options for reinitialization. This feature is helpful if you need to adjust your investigation time range, or investigate another tenant.
After Osprey is initialized, you can run the above command. It will gather various information about the tenant configuration and any recent, notable activity. Here is the information that the default tenant investigation gathers.
- Get-OspreyTenantConfiguration
- Audit Log configuration, organization configuration, transport configuration, domains, transport rules
- Get-OspreyTenantEDiscoveryDetails
- eDiscovery-enabled roles, users, and groups, eDiscovery searches made during investigation period
- Get-OspreyTenantExchangeLogs
- Created, Edited, and Deleted Inbox Rules (including suspicious ones), and forwarding, mailbox permission, impersonation, and RBAC changes
- Get-OspreyTenantDomainActivity
- Any changes to domains within the tenant
- Get-OspreyTenantAppsAndConsents
- Any application consent or registration activity, and any applications within the tenant that are potentially suspicious
- Get-OspreyTenantLinkUsage
- Any OneDrive or SharePoint sharing link usage, anonymous link usage, and link usage to potentially sensitive files/information
- Get-OspreyTenantAdmins
- Entra and Exchange administrators
- Get-OspreyTenantEntraUsers
- All user accounts within tenant, any users created during investigation period
There are two additional commands you can run that may provide more information. They are additional as they can potentially take a long time to run.
- Get-OspreyTenantInboxRules
- Gets inbox rules for all users within the tenant, flags any suspicious rules
- Search-OspreyTenantActivityByIP
- Use with the
-ipaddress xxx.xxx.xxx.xxxflag - Gets login activity for all users that comes from the provided IP address
- Use with the
Running the above command alone will allow you to investigate as many users at a time as you want, by prompting you for their UPN.
You can also investigate a user with the flag -UserPrincipalName user@domain.com.
The -UserPrincipalName option can also be used with an additional command to obtain users based on some attribute, such as by going Start-OspreyUserInvestigation -UserPrincipalName (get-mailbox -Filter {Customattribute1 -eq "C-level"}). I suggest that you do not scope your filter too wide, though, or you will run into issues.
Once the command is running, here is the information it gathers.
- Get-OspreyUserConfiguration
- Mailbox information and statistics, autoreply and forwarding information
- Get-OspreyUserInboxRule
- Inbox rules, including flagging suspicious inbox rules, hidden inbox rules, and sweep rules
- Get-OspreyUserAuthHistory
- Uses IP geolocation API key to match authentication activities to City and Country
- Get-OspreyUserEmailActivity
- Email activity including Update, Delete, and Create records
- Get-OspreyUserMessageTrace
- Sent mail the last 10 days
- Get-OspreyUserDevices
- Mobile and Entra registered/joined devices, flags any created during investigation period
- Get-OspreyUserFileAccess
- All files accessed during investigation period, including flagging any files that may be sensitive, sharing and anonymous links as well