Issue with New-MgSecurityAttackSimulation - Unable to Complete Attack Simulation Creation in Microsoft Defender #3015
Description
Describe the bug
I'm encountering an issue with the New-MgSecurityAttackSimulation cmdlet in the Microsoft Graph PowerShell SDK. While I am able to initiate the attack simulation, it fails to complete successfully. This issue persists across multiple attempts and environments, with the following details:
Expected behavior
When using the New-MgSecurityAttackSimulation cmdlet to create an attack simulation in Microsoft Defender, I expect the following behavior:
- The cmdlet should return a
202 Acceptedstatus, indicating the simulation has been successfully queued for processing. - The simulation should then transition from a "pending" state to "in progress" and ultimately to "completed" or another final status within a reasonable timeframe.
- The simulation details, such as ID, status, and completion details, should be accessible, and the simulation should be visible in the Microsoft Defender portal.
In short, after running the command, I expect the simulation to complete successfully and provide feedback on its status, indicating whether it was created and executed as configured.
How to reproduce
Sample PowerShell code to create an attack simulation
$params = @{
displayName = "Test Simulation"
"[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/{payload-id}"
"[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/{loginPage-id}"
"[email protected]" = "https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/{landingPage-id}"
attackTechnique = "credentialHarvesting"
durationInDays = 2
status = "scheduled"
createdBy = @{
email = "[email protected]"
}
includedAccountTarget = @{
"@odata.type" = "#microsoft.graph.addressBookAccountTargetContent"
type = "addressBook"
accountTargetEmails = @("[email protected]")
}
trainingSetting = @{
settingType = "noTraining"
}
}
Execute the attack simulation creation
$result = New-MgSecurityAttackSimulation -BodyParameter $params -Verbose -Debug
SDK Version
2.24.0
Latest version known to work for scenario above?
2.09.0
Known Workarounds
NO Workaround exist. Nothing works
Debug output
HTTP Method: POST
Absolute Uri: https://graph.microsoft.com/v1.0/security/attackSimulation/simulations
Headers:
- FeatureFlag : 00000043
- Cache-Control : no-store, no-cache
- User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22631; de-CH),PowerShell/7.4.6
- SdkVersion : graph-powershell/2.24.0
Body:
{
"[email protected]": "https://graph.microsoft.com/v1.0/security/attacksimulation/landingPages/zensored",
"[email protected]": "https://graph.microsoft.com/v1.0/security/attacksimulation/payloads/zensored",
"[email protected]": "https://graph.microsoft.com/v1.0/security/attacksimulation/loginPages/zensored,
"attackTechnique": "credentialHarvesting",
"displayName": "Test49",
"createdBy": {
"email": "zensored"
},
"includedAccountTarget": {
"@odata.type": "#microsoft.graph.addressBookAccountTargetContent",
"accountTargetEmails": ["zensored@zensored"],
"type": "addressBook"
},
"trainingSetting": {
"settingType": "noTraining"
}
}
Response:
Status Code: Accepted
Location: https://graph.microsoft.com/v1.0/security/attackSimulation/operations/108655aa-36ba-4618-9f2e-6c3782d2cd25
Configuration
PSVersion 7.4.6
PSEdition Core
GitCommitId 7.4.6
OS Microsoft Windows 10.0.22631
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Other information
No response