Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add high risk application/service principal permissions into ScubaResults.json #1462

Open
wants to merge 69 commits into
base: main
Choose a base branch
from
+1,288 −3
Open

Add high risk application/service principal permissions into ScubaResults.json #1462

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
69 commits
Select commit Hold shift + click to select a range
470553b
committing these files for version history; initial prototype complet…
mitchelbaker-cisa Nov 1, 2024
b179e7c
get privileged permissions assigned to applications; get federated cr…
mitchelbaker-cisa Nov 5, 2024
c204113
refactor perm mapping into function
mitchelbaker-cisa Nov 5, 2024
8615471
add activityfeed permissions from office 365 management API
mitchelbaker-cisa Nov 6, 2024
3908441
add subset of office 365 for exchange permissions
mitchelbaker-cisa Nov 7, 2024
3d68003
filter out expired certificates/client secrets
mitchelbaker-cisa Nov 8, 2024
388047f
switch to Get-MgBeta endpoints
mitchelbaker-cisa Nov 8, 2024
7417739
switch to Get-MgBeta endpoints
mitchelbaker-cisa Nov 8, 2024
2626c67
add Policy.Read.All permission
mitchelbaker-cisa Nov 8, 2024
b21f84c
address linter; rename function naming
mitchelbaker-cisa Nov 8, 2024
2d808bb
migrate application code and helper fncs from script into AAD provide…
mitchelbaker-cisa Nov 8, 2024
2ffa4aa
beging transitioning sp-script into aad provider; create helper module
mitchelbaker-cisa Nov 15, 2024
3979b0a
determine if app is multitenant enabled; add flag to determine if cre…
mitchelbaker-cisa Nov 16, 2024
8d2072d
create structure to group application/sp objects together; begin repo…
mitchelbaker-cisa Nov 20, 2024
31b8dee
expand riskyPermissions hashmap to include RoleId, RoleDisplayName, a…
mitchelbaker-cisa Nov 22, 2024
8d7bad8
combine duplicate objects; add IsAdminConsented property to riskyperm…
mitchelbaker-cisa Nov 22, 2024
5f8d71d
fix key name for Office 365 SharePoint Online which did not match cor…
mitchelbaker-cisa Nov 22, 2024
db8af2b
add helper function for merging two arrays together, purpose is to co…
mitchelbaker-cisa Nov 23, 2024
33bd8b5
correctly update IsAdminConsented for all permissions; this completes…
mitchelbaker-cisa Nov 23, 2024
9c99412
move aggregated logic into funciton
mitchelbaker-cisa Nov 23, 2024
2241d91
clean up
mitchelbaker-cisa Nov 23, 2024
bd7c333
add expired creds back into json structure; reformat ObjectId propert…
mitchelbaker-cisa Nov 26, 2024
ab76658
move latest code changes into psm1 file
mitchelbaker-cisa Nov 26, 2024
8681033
successfully run aad provider with risky permissions helper; add Micr…
mitchelbaker-cisa Nov 27, 2024
5f44865
successfully add first/third party risky application/SPs into aad pro…
mitchelbaker-cisa Nov 28, 2024
ea04ed7
create initial pester tests for applications fnc
mitchelbaker-cisa Dec 3, 2024
7f703cc
fix scoping of test
mitchelbaker-cisa Dec 3, 2024
b3dd5db
recreate mock applications from get-mgbetaapplication cmdlet
mitchelbaker-cisa Dec 3, 2024
00e2d18
complete unit tests for risky apps
mitchelbaker-cisa Dec 3, 2024
3f8c1c6
create unit test for risky service principals
mitchelbaker-cisa Dec 3, 2024
f6c0b8b
complete unit tests for risky service principals
mitchelbaker-cisa Dec 4, 2024
a57c28a
create boilerplate tests for first party applications
mitchelbaker-cisa Dec 4, 2024
c69a495
complete unit tests for first party risky apps
mitchelbaker-cisa Dec 4, 2024
318d05c
add unit test for third party risky service principals
mitchelbaker-cisa Dec 4, 2024
2205b68
remove initial prototype script and json files
mitchelbaker-cisa Dec 4, 2024
d846fea
move unit tests into subdirectory
mitchelbaker-cisa Dec 5, 2024
4d12f7a
add unit test for Format-RiskyPermission; modify its logic in cmdlets
mitchelbaker-cisa Dec 5, 2024
4c92e76
add unit test for Format-Credentials
mitchelbaker-cisa Dec 5, 2024
ac63893
add unit tests for Merge-Credentials
mitchelbaker-cisa Dec 5, 2024
0d73607
address linter nagging
mitchelbaker-cisa Dec 5, 2024
834737a
address more ps linter nagging
mitchelbaker-cisa Dec 5, 2024
2fe4201
linteR
mitchelbaker-cisa Dec 5, 2024
937e9a7
linter
mitchelbaker-cisa Dec 5, 2024
cb30271
linter
mitchelbaker-cisa Dec 5, 2024
735aac5
linter
mitchelbaker-cisa Dec 5, 2024
35a4a9b
fix path issues with unit test locations; deprecate MockData.ps1 file…
mitchelbaker-cisa Dec 6, 2024
7afe1d9
cleanup psscriptanalyzer exclusions that are unneedeD
mitchelbaker-cisa Dec 6, 2024
b653759
wrap cmdlets in .TryCommand(), modify Export-AADProvider.Tests.ps1 ac…
mitchelbaker-cisa Dec 6, 2024
255e531
linter
mitchelbaker-cisa Dec 6, 2024
7b940a2
wrap cmdlets with trycommand(); adjust imports
mitchelbaker-cisa Dec 9, 2024
905b50e
cleanup comments
mitchelbaker-cisa Dec 9, 2024
0513442
improve readability, cleanup
mitchelbaker-cisa Dec 9, 2024
1adf71d
fix linter
mitchelbaker-cisa Dec 9, 2024
a575a5b
cleanup
mitchelbaker-cisa Dec 9, 2024
5fbd402
move PermissionsJson into ScubaConfig
mitchelbaker-cisa Dec 19, 2024
325e2ef
generated report and risky applications/SPs successfully with RiskyPe…
mitchelbaker-cisa Jan 6, 2025
ce914c0
add conditional to determine if a resource/resourcedisplayname exists…
mitchelbaker-cisa Jan 7, 2025
330d7a6
change naming convention of
mitchelbaker-cisa Jan 7, 2025
8ae4f41
add parameter validation before calling risky permissions cmdlets
mitchelbaker-cisa Jan 14, 2025
75ad7ca
rename Get-FirstPartyRiskyApplications to Format-RiskyApplications; f…
mitchelbaker-cisa Jan 14, 2025
31a39f9
fix failing unit tests due to parameter rename
mitchelbaker-cisa Jan 14, 2025
084b604
adjust other unit tests
mitchelbaker-cisa Jan 14, 2025
751fc7d
add Ted's batch prototype into get-riskyserviceprincipals function
mitchelbaker-cisa Jan 14, 2025
12933a6
begin initial mockup of Invoke-MgGraphRequest
mitchelbaker-cisa Jan 16, 2025
d3c57ff
add condition for determining different graph endpoints per environment
mitchelbaker-cisa Jan 18, 2025
187b593
fix unit tests
mitchelbaker-cisa Jan 18, 2025
19189e5
fix all unit tests; added mock function for Invoke-MgGraphRequest
mitchelbaker-cisa Jan 18, 2025
ebc2506
fix all unit tests; added mock function for Invoke-MgGraphRequest
mitchelbaker-cisa Jan 18, 2025
d0c4bac
renamed Get-ThirdPartyRiskyServicePrincipals to Format-ThirdPartyRisk…
mitchelbaker-cisa Jan 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 75 additions & 0 deletions PowerShell/ScubaGear/Modules/Permissions/RiskyPermissions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
{
"resources": {
"00000003-0000-0000-c000-000000000000": "Microsoft Graph",
"00000002-0000-0ff1-ce00-000000000000": "Office 365 Exchange Online",
"00000003-0000-0ff1-ce00-000000000000": "Office 365 SharePoint Online",
"c5393580-f805-4401-95e8-94b7a6ef2fc2": "Office 365 Management APIs"
},
"permissions": {
"Microsoft Graph": {
"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9": "Application.ReadWrite.All",
"06b708a9-e830-4db3-a914-8e69da51d44f": "AppRoleAssignment.ReadWrite.All",
"0e263e50-5827-48a4-b97c-d940288653c7": "Directory.AccessAsUser.All",
"7ab1d382-f21e-4acd-a863-ba3e13f7da61": "Directory.Read.All",
"19dbc75e-c2e2-444c-a770-ec69d8559fc7": "Directory.ReadWrite.All",
"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8": "RoleManagement.ReadWrite.Directory",
"025d3225-3f02-4882-b4c0-cd5b541a4e80": "RoleManagement.ReadWrite.Exchange",
"18a4783c-866b-4cc7-a460-3d5e5662c884": "Application.ReadWrite.OwnedBy",
"741f803b-c850-494e-b5df-cde7c675a1ca": "User.ReadWrite.All",
"df021288-bdef-4463-88db-98f22de89214": "User.Read.All",
"405a51b5-8d8d-430b-9842-8be4b0e9f324": "User.Export.All",
"5b567255-7703-4780-807c-7be8301ae99b": "Group.Read.All",
"62a82d76-70ea-41e2-9197-370581804d09": "Group.ReadWrite.All",
"98830695-27a2-44f7-8c18-0c3ebc9698f6": "GroupMember.Read.All",
"dbaae8cf-10b5-4b86-a4a1-f871c94c6695": "GroupMember.ReadWrite.All",
"658aa5d8-239f-45c4-aa12-864f4fc7e490": "Member.Read.Hidden",
"89c8469c-83ad-45f7-8ff2-6e3d4285709e": "ServicePrincipalEndpoint.ReadWrite.All",
"810c84a8-4a9e-49e6-bf7d-12d183f40d01": "Mail.Read",
"6be147d2-ea4f-4b5a-a3fa-3eab6f3c140a": "Mail.ReadBasic",
"693c5e45-0940-467d-9b8a-1022fb9d42ef": "Mail.ReadBasic.All",
"e2a3a72e-5f79-4c64-b1b1-878b674786c9": "Mail.ReadWrite",
"b633e1c5-b582-4048-a93e-9f11b44c7e96": "Mail.Send",
"40f97065-369a-49f4-947c-6a255697ae91": "MailboxSettings.Read",
"6931bccd-447a-43d1-b442-00a195474933": "MailboxSettings.ReadWrite",
"798ee544-9d2d-430c-a058-570e29e34338": "Calendars.Read",
"ef54d2bf-783f-4e0f-bca1-3210c0444d99": "Calendars.ReadWrite",
"089fe4d0-434a-44c5-8827-41ba8a0b17f5": "Contacts.Read",
"6918b873-d17a-4dc1-b314-35f528134491": "Contacts.ReadWrite",
"45bbb07e-7321-4fd7-a8f6-3ff27e6a81c8": "CallRecords.Read.All",
"a2611786-80b3-417e-adaa-707d4261a5f0": "CallRecord-PstnCalls.Read.All",
"01d4889c-1287-42c6-ac1f-5d1e02578ef6": "Files.Read.All",
"75359482-378d-4052-8f01-80520e7db3cd": "Files.ReadWrite.All",
"9492366f-7969-46a4-8d15-ed1a20078fff": "Sites.ReadWrite.All",
"332a536c-c7ef-4017-ab91-336970924f0d": "Sites.Read.All",
"a82116e5-55eb-4c41-a434-62fe8a61c773": "Sites.FullControl.All",
"01c0a623-fc9b-48e9-b794-0756f8e8f067": "Policy.ReadWrite.ConditionalAccess",
"246dd0d5-5bd0-4def-940b-0421030a5b68": "Policy.Read.All"
},
"Office 365 Management APIs": {
"594c1fb6-4f81-4475-ae41-0c394909246c": "ActivityFeed.Read",
"4807a72c-ad38-4250-94c9-4eabfe26cd55": "ActivityFeed.ReadDlp"
},
"Office 365 Exchange Online": {
"dc890d15-9560-4a4c-9b7f-a736ec74ec40": "full_access_as_app",
"798ee544-9d2d-430c-a058-570e29e34338": "Calendars.Read",
"2dfdc6dc-2fa7-4a2c-a922-dbd4f85d17be": "Calendars.Read.All",
"ef54d2bf-783f-4e0f-bca1-3210c0444d99": "Calendars.ReadWrite.All",
"089fe4d0-434a-44c5-8827-41ba8a0b17f5": "Contacts.Read",
"6918b873-d17a-4dc1-b314-35f528134491": "Contacts.ReadWrite",
"e2a3a72e-5f79-4c64-b1b1-878b674786c9": "Mail.ReadWrite",
"810c84a8-4a9e-49e6-bf7d-12d183f40d01": "Mail.Read",
"b633e1c5-b582-4048-a93e-9f11b44c7e96": "Mail.Send",
"d45fa9f8-36e5-4cd2-b601-b063c7cf9ac2": "MailboxSettings.Read",
"f9156939-25cd-4ba8-abfe-7fabcf003749": "MailboxSettings.ReadWrite",
"bf24470f-10c1-436d-8d53-7b997eb473be": "User.Read.All",
"77e65b5a-ceae-48b3-9490-50a86a038a48": "User.ReadBasic.All"
},
"Office 365 SharePoint Online": {
"fbcd29d2-fcca-4405-aded-518d457caae4": "Sites.ReadWrite.All",
"d13f72ca-a275-4b96-b789-48ebcc4da984": "Sites.Read.All",
"678536fe-1083-478a-9c59-b99265e6b0d3": "Sites.FullControl.All",
"741f803b-c850-494e-b5df-cde7c675a1ca": "User.ReadWrite.All",
"df021288-bdef-4463-88db-98f22de89214": "User.Read.All"
}
}
}
24 changes: 22 additions & 2 deletions PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,25 @@ function Export-AADProvider {
# Provides data on the password expiration policy
$DomainSettings = ConvertTo-Json @($Tracker.TryCommand("Get-MgBetaDomain"))

##### This block gathers information on risky API permissions related to application/service principal objects
Import-Module $PSScriptRoot/ProviderHelpers/AADRiskyPermissionsHelper.psm1

$RiskyApps = $Tracker.TryCommand("Get-ApplicationsWithRiskyPermissions")
$RiskySPs = $Tracker.TryCommand("Get-ServicePrincipalsWithRiskyPermissions", @{"M365Environment"=$M365Environment})

$RiskyApps = if ($null -eq $RiskyApps -or $RiskyApps.Count -eq 0) { $null } else { $RiskyApps }
$RiskySPs = if ($null -eq $RiskySPs -or $RiskySPs.Count -eq 0) { $null } else { $RiskySPs }

if ($RiskyApps -and $RiskySPs) {
$AggregateRiskyApps = ConvertTo-Json -Depth 3 $Tracker.TryCommand("Format-RiskyApplications", @{"RiskyApps"=$RiskyApps; "RiskySPs"=$RiskySPs})
$RiskyThirdPartySPs = ConvertTo-Json -Depth 3 $Tracker.TryCommand("Format-RiskyThirdPartyServicePrincipals", @{"RiskyApps"=$RiskyApps; "RiskySPs"=$RiskySPs})
}
else {
$AggregateRiskyApps = "{}"
$RiskyThirdPartySPs = "{}"
}
##### End block

$SuccessfulCommands = ConvertTo-Json @($Tracker.GetSuccessfulCommands())
$UnSuccessfulCommands = ConvertTo-Json @($Tracker.GetUnSuccessfulCommands())

Expand All @@ -196,6 +215,8 @@ function Export-AADProvider {
"domain_settings": $DomainSettings,
"license_information": $LicenseInfo,
"total_user_count": $UserCount,
"risky_applications": $AggregateRiskyApps,
"risky_third_party_service_principals": $RiskyThirdPartySPs,
"aad_successful_commands": $SuccessfulCommands,
"aad_unsuccessful_commands": $UnSuccessfulCommands,
"@
Expand Down Expand Up @@ -621,5 +642,4 @@ function Get-PrivilegedRole {

# Return the array
$PrivilegedRoleArray
}

}
Loading
Loading