https://practical365.com/how-to-install-the-hawk-powershell-module/?sfw=pass1617211926 https://cloudforensicator.com/documentation https://github.com/T0pCyber/hawk Global Admin permissions required. 
PS> install-module Hawk
If you plan on doing other things than a HawkTenant or HawkUser investigation you can set the correct paramaters with Initialize-HawkGlobalObject which will gather your credentials and other parameters. 
PS> start-hawktenantinvestigation
When it asks for a directory to output include a trailing slash or it won't accept it Enter Credentials when asked Look at _Investigate.txt first 
PS> Get-HawkTenantAzureADUsers

PS> Get-HawkTenantAZAdmins
To investigate a user 
PS> Start-HawkUserInvestigation -userprincipalname user@domain.local
To investigate an IP 
PS> Get-HawkUserAuthHistory -UserPrincipalName (Get-EXOMailbox) | where {$_.auditdata -like "*148.251.1.3*"}

PS> Get-HawkUserMailboxAuditing -UserPrincipalName (Get-EXOMailbox) | where {$_.ClientIPAddress -eq '148.251.1.3'} Takes about 5 minutes per user
Here are some suggested Hawk commands In the Tenant folder is a file called AzureADUsers.csv – cd into the Tenant folder and run this command 
(import-csv AzureADUsers.csv). UserPrincipalname | add-content users.txt
This will create a file called users.txt with one user per line – using this file run this command 
Get-content user.txt | %{ Get-HawkUserAuthHistory -UserPrincipalName $_}
This will run each user in turn. Then if it crashes or you need to start over, look in the Hawk directory at the last user processed. Delete from the user file everything up to the last user. Rerun Get-content user.txt | %{ Get-HawkUserAuthHistory -UserPrincipalName $_} and it will pick up where it left off. 
PS> Initialize-HawkGlobalObject
Run Start-HawkUserInvestigation against key users looking for any sign of compromise with the intention of enabling them if clean. Note: When you start running commands that return many results Microsoft might throttle your request. To get login data run 
PS> Get-HawkUserAuthHistory -UserPrincipalName (Get-EXOMailbox)
If mailbox auditing is enabled and UserAuthHistory is not - note this takes about 5 minutes per user (with 1500 users about 7 days) 
PS> Get-HawkUserMailboxAuditing -UserPrincipalName (Get-EXOMailbox)
Because this takes so long, I recommend creating a text file with the UPNs - this file can be modified to remove those already processed if the process must restart - Microsoft seems to have a max session length 
PS> (import-csv .\hawk-2022.....\tenant\azureadusers.csv).UserPrincipalName | addcontent users.txt
PS> get-content users.txt | %{Get-HawkUserMailboxAuditing -UserPrincipalName $_} All commands output to the Hawk Directory 
PS> Connect-AzureAD
To get a list of Azure Users - A csv with this information is created with a tenant investigation, this csv will not include users not on email PS> (Get-AzureADUser -all).userPrincipalName | add-content azureusers.txt To disable all users 
PS> get-content azureusers.txt | % {Set-AzureADUser -ObjectID $_ -AccountEnabled $false}
To revoke all Sessions 
PS> get-content azureusers.txt | % {Get-AzureADUser -SearchString $_ | Revoke-AzureADUserAllRefreshToken}
or using the AzureAdUsers.csv created with a tenant investigation 
PS> (import-csv azureadusers.csv).userPrincipalName | % {Get-AzureADUser -SearchString $_ | Revoke-AzureADUserAllRefreshToken}
To get all MSOL users and password information - by default only 500 are returned - depending on the number of accounts you might have to use MaxResults 
PS> Connect-MsolService
PS> Get-MsolUser -All | Select DisplayName,UserPrincipalName,LastPasswordChangeTimeStamp,PasswordNeverExpires | export-csv -notype msolusers.csv List all Office 365 users last password change date 
PS> Connect-MsolService - if you have not initialized it already.

PS> Get-MsolUser -All | Select DisplayName,UserPrincipalName,LastPasswordChangeTimeStamp | export-csv -notype lastPassUpdate.csv
Use the below command to list all users who have changed password more than 90 days before. 
PS> Get-MsolUser -All | Where {$_.LastPasswordChangeTimeStamp –lt ([System.DateTime]::Now).AddDays(-90)}| Sort-Object LastPasswordChangeTimeStamp -Descending | Select DisplayName,LastPasswordChangeTimeStamp | export-csv -notype lastPassUpdate.csv
List New Users in Msol in last 90 days 
PS> Get-MsolUser -all | where {$_.WhenCreated -gt ([System.DateTime]::Now).AddDays(-90)} | select WhenCreated,UserPrincipalName,DisplayName,UserType,LastPasswordChangeTimestamp, | export-csv -notype NewMsolUsers.csv
ListUsers with PasswordNeverExpires set 
PS> get-msoluser -all | where {$_.PasswordNeverExpires -eq $true} | export-csv -notype PasswordNeverExpires.csv
To see what get-msoluser returns domain 
PS> get-msoluser -UserPrincipalName  | fl
Create a text file with the email addresses of accounts you wish to kill sessions 
PS> get-content emailaddress.txt | % {Get-AzureADUser -SearchString $_ | Revoke-AzureADUserAllRefreshToken}
or to reset all sessions 
PS> Get-MsolGroup [groupname] | fl ObjectId
Next, export the users of the group to a csv 
PS> Get-MsolGroupMember -GroupObjectId xxxxx-xxxxx-xxxxx-xxxxx | Select-Object EmailAddress | Export-Csv -Path c:\temp\users.csv
Import the csv and revoke th refresh token for these users. 
PS> Import-CSV “c:\temp\users.csv” | % {Get-AzureADUser -SearchString $_.emailaddress | Revoke-AzureADUserAllRefreshToken}
Before using these commands if you have not done Start-HawkUserInvestigation or Start-HawkTenantInvestigation run Initialize-HawkGlobalObject to get connected. 
PS> Get-HawkUserInboxRule -UserPrincipalName (get-mailbox)

PS> Get-HawkUserEmailForwarding -UserPrincipalName (get-mailbox)

PS> Get-HawkUserAutoReply -UserPrincipalName (get-mailbox)
These get data for all users (get-mailbox) you can feed it a list of those you are interested in. e.g. cat users.txt | %{Get-HawkUserInboxRule -UserPrincipalName $_} where users.txt contains a user per line or for a few just feed them on the commandline seperated by commas To see all the Hawk commands - help Hawk on PS commandline after install of Hawk 
PS> help Hawk
To see all the msol commands help msol on PS commandline after install of Hawk 
PS> help msol
To see all the AzureAD commands - help AzureAD after install of Hawk 
PS> help AzureAD

PS> Connect-AzureAD
Name Synopsis
Get-HawkMessageHeader Gathers the header from the an msg file prepares a report
Get-HawkTenantAppAndSPNCredentialDetailsTenant Azure Active Directory Applications and Service Principal Credential details export. Must be connected to Azure-AD using the Connect-AzureAD cmdlet
Get-HawkTenantAuthHistory Gathers 48 hours worth of Unified Audit logs. Pulls everyting into a CSV file.
Get-HawkTenantAZAdmins Tenant Azure Active Directory Administrator export. Must be connected to Azure-AD using the Connect-AzureAD cmdlet
Get-HawkTenantAzureADUsers This function will export all the Azure Active Directory users.
Get-HawkTenantAzureAuditLog Gathers common data about a tenant.
Get-HawkTenantConfiguration Gather basic tenant configuration and saves the output to a text file
Get-HawkTenantConsentGrants Gathers application grants
Get-HawkTenantEDiscoveryConfiguration Looks for users that have e-discovery rights. Find any roles that have access to key edisocovery cmdlets and output the users who have those rights
Get-HawkTenantEXOAdmins Exchange Online Administrator export. Must be connected to Exchange Online using the Connect-EXO cmdlet
Get-HawkTenantInboxRules Gets inbox rules and forwarding directly from all mailboxes in the org.
Get-HawkTenantMailItemsAccessed This will export MailboxItemsAccessed operations from the Unified Audit Log (UAL). Must be connected to Exchange Online...
Get-HawkTenantRBACChanges Looks for any changes made to Roles Based Access Control
Get-HawkUserAdminAudit Searches the EXO Audit logs for any commands that were run against the provided user object.
Get-HawkUserAuthHistory Gathers ip addresses that logged into the user account
Get-HawkUserAutoReply Pulls AutoReply Configuration for the specified user.
Get-HawkUserConfiguration Gathers baseline information about the provided user.
Get-HawkUserEmailForwarding Pulls mail forwarding configuration for a specified user.
Get-HawkUserHiddenRule Pulls inbox rules for the specified user using EWS.
Get-HawkUserInboxRule Exports inbox rules for the specified user.
Get-HawkUserMailboxAuditing Gathers Mailbox Audit data if enabled for the user.
Get-HawkUserMessageTrace Pull that last 7 days of message trace data for the specified user.
Get-HawkUserMobileDevice Gathers mobile devices that are connected to the account
Get-HawkUserPWNCheck Checks an email address against haveibeenpwned.com
Initialize-HawkGlobalObject Create global variable $Hawk for use by all Hawk cmdlets.
Search-HawkTenantActivityByIP Gathers logon activity based on a submitted IP Address.
Search-HawkTenantEXOAuditLog Searches the admin audit logs for possible bad actor activities
Show-HawkHelp Show Hawk Help and creates the Hawk_Help.txt file
Start-HawkTenantInvestigation Gathers common data about a tenant.
Start-HawkUserInvestigation Gathers common data about a provided user.
Update-HawkModule Hawk upgrade check
The module allows access to all existing remote PowerShell (V1) cmdlets in addition to the 9 new, faster, and more reliable cmdlets.
Old Cmdlets New/Reliable/Faster Cmdlets
Get-CASMailbox Get-EXOCASMailbox
Get-Mailbox Get-EXOMailbox
Get-MailboxFolderPermissionGet-EXOMailboxFolderPermission
Get-MailboxFolderStatisticsGet-EXOMailboxFolderStatistics
Get-MailboxPermission Get-EXOMailboxPermission
Get-MailboxStatistics Get-EXOMailboxStatistics
Get-MobileDeviceStatistics Get-EXOMobileDeviceStatistics
Get-Recipient Get-EXORecipient
Get-RecipientPermission Get-EXORecipientPermission
To get additional information, run: Get-Help Connect-ExchangeOnline https://o365blog.com/post/phishing/ https://0xboku.com/2021/07/12/ArtOfDeviceprePhish.html