Open tkol2022 opened 4 weeks ago
Initial list of high-risk permissions:
API permissions granting read or write access to all user's mailboxes:
Relevant cmdlets:
Really nice work!! Here are some suggestions.
Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All
Directory.AccessAsUser.All
Directory.Read.All
Directory.ReadWrite.All
RoleManagement.ReadWrite.Directory
User.ReadWrite.All
User.Read.All
User.Export.All
Groups.Read.All
Groups.ReadWrite.All
Group.ReadWrite.All
GroupMember.Read.All
GroupMember.ReadWrite.All
Member.Read.Hidden
Mail.Read
Mail.ReadBasic
Mail.ReadBasic.All
Mail.ReadWrite.All
Mail.Send
MailboxSettings.Read
MailboxSettings.ReadWrite
Exchange.ManageAsApp
Calendars.Read
Calendars.ReadWrite
Contacts.Read
Contacts.ReadWrite
Files.Read.All
Files.ReadWrite.All
Sites.ReadWrite.All
For any of the permissions that we are unsure about, we may need to develop and execute adversary emulation tests to determine what the actual risks are with a specific permission (i.e. what the attacker can actually do in M365 if they had that permission).
For any of the permissions that we are unsure about, we may need to develop and execute adversary emulation tests to determine what the actual risks are with a specific permission (i.e. what the attacker can actually do in M365 if they had that permission).
Definitely, some hands-on testing of each permission would help to determine their respective level of risk. I'll create a separate issue to develop/execute adversary emulation tests with this initial list of risky permissions, as to break out the scope of this task accordingly. We can continue to use this issue as the place for prototyping code to report on risky API permissions.
Created #1371 for handling adversary tests.
💡 Summary
As part of the epic related to improving the security of M365 service principals, the scope of this issue is to perform hands-on prototyping to develop a method and code that ScubaGear could use to report on service principals that have risky MS Graph and other permissions. A secondary feature is to report on service principals that have credentials assigned to them.
Literature for reference
Example code: https://github.com/12Knocksinna/Office365itpros/blob/master/ReportPermissionsApps.PS1 https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L430 Example permissions list: https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/apps/risky-aad-app-perms/ https://www.tenable.com/indicators/ioe/entra/DANGEROUS-API-PERMISSIONS-AFFECTING-THE-TENANT
Implementation notes