Prototype detection of service principals with risky permissions or credentials

[tkol2022]

💡 Summary

As part of the epic related to improving the security of M365 service principals, the scope of this issue is to perform hands-on prototyping to develop a method and code that ScubaGear could use to report on service principals that have risky MS Graph and other permissions. A secondary feature is to report on service principals that have credentials assigned to them.

Literature for reference

Example code: https://github.com/12Knocksinna/Office365itpros/blob/master/ReportPermissionsApps.PS1 https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L430 Example permissions list: https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/apps/risky-aad-app-perms/ https://www.tenable.com/indicators/ioe/entra/DANGEROUS-API-PERMISSIONS-AFFECTING-THE-TENANT

Implementation notes

• [x] Develop an initial list of Graph permissions that could be considered high risk if abused. For example the RoleManagement.ReadWrite.Directory permission allows attackers to elevate themselves to the Global Administrator role.
• [ ] Write some code or document a set of cmdlets to report on a list of service principals with these permissions
• [ ] Write code or document a set of cmdlets to report on a list of service principals with credentials (certificate or secret) assigned to them
• [ ] Read the articles below and see if they describe a different security problem that would require a different audit strategy or if what they describe is already covered with the reporting features covered in this issue. https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/ https://www.semperis.com/blog/unoauthorized-privilege-elevation-through-microsoft-applications/
• [ ] Determine how this functionality could be incorporated into ScubaGear
• [ ] Create separate issue to update ScubaGear if needed.

[mitchelbaker-cisa]

Initial list of high-risk permissions:

• Application.ReadWrite.All
• AppRoleAssignment.ReadWrite.All
• Directory.AccessAsUser.All
• Directory.Read.All
• Directory.ReadWrite.All
• RoleManagement.ReadWrite.Directory
• Groups.Read.All
• Group.ReadWrite.All
• GroupMember.Read.All
• GroupMember.ReadWrite.All
• Groups.ReadWrite.All
• User.ReadWrite.All
• User.Read.All
• User.Export.All
• Member.Read.Hidden
• Files.Read.All
• Files.ReadWrite.All
• ActivityFeed.Read
• ServicePrincipalEndPoint.ReadWrite.All

API permissions granting read or write access to all user's mailboxes:

• Mail.Read
• Mail.ReadBasic
• Mail.ReadBasic.All
• Mail.ReadWrite.All
• Mail.Send
• MailboxSettings.Read
• MailboxSettings.ReadWrite
• Calendars.Read
• Calendars.ReadWrite
• Contacts.Read
• Contacts.ReadWrite
• Exchange.ManageAsApp
• Sites.ReadWrite.All

Relevant cmdlets:

• Get-AzADServicePrincipal
• Get-AzADApplication
• Get-AzureADServiceAppRoleAssignedTo
• Get-MgServicePrincipal

[tkol2022]

Really nice work!! Here are some suggestions.

• Replace the cmdlets that begin with Get-Az with Get-Mg equivalents since we use Graph PowerShell instead of Azure PowerShell
• Renamed the cmdlet Get-AzureADServiceAppRoleAssignedTo to Get-MgServicePrincipalAppRoleAssignedTo
• For each of the permissions, it would be good to have a sentence that describes the operations that the permission grants and why the permission is risky. I created a separate comment for you below with an initial draft. Please update that comment and we can maintain it perpetually by adding more permissions or tweaking the existing ones.
• I recommend grouping the permissions into categories to make it easier to read them and maintain them. I recommend the following categories at a minimum. Directory permissions, Service principal permissions, Exchange Online permissions, Sharepoint / OneDrive permissions. For example the permission Sites.ReadWrite.All would be placed into the Sharepoint / OneDrive category.

[tkol2022]

High Risk Service Principal Permissions

Directory Permissions

1. Application.ReadWrite.All

   • Description: Allows reading and writing all application properties and configurations.
   • Risks: Misuse can lead to unauthorized app creation or modification, potentially introducing vulnerabilities or backdoors.

2. AppRoleAssignment.ReadWrite.All

   • Description: Allows managing app role assignments for any user or service principal.
   • Risks: Can lead to privilege escalation if roles are improperly assigned.

3. Directory.AccessAsUser.All

   • Description: Allows the app to access the directory as the signed-in user.
   • Risks: High risk if compromised, as it can perform actions on behalf of any user.

4. Directory.Read.All

   • Description: Allows reading directory data.
   • Risks: Exposure of sensitive directory information if accessed by unauthorized entities.

5. Directory.ReadWrite.All

   • Description: Allows reading and writing directory data.
   • Risks: Potential for unauthorized changes to directory data, impacting security and operations.

6. RoleManagement.ReadWrite.Directory

   • Description: Allows managing role assignments in the directory.
   • Risks: Incorrect role assignments can lead to privilege escalation. Attackers may be able to elevate themselves to the Global Administrator role.

User Permissions

1. User.ReadWrite.All

   • Description: Allows reading and writing all user profiles.
   • Risks: Unauthorized changes to user profiles can lead to identity theft or privilege escalation.

2. User.Read.All

   • Description: Allows reading all user profiles.
   • Risks: Exposure of user information, which could be used for phishing or social engineering.

3. User.Export.All

   • Description: Allows exporting user data.
   • Risks: High risk of data leakage if user data is exported without proper controls.

Group Permissions

1. Groups.Read.All

   • Description: Allows reading all group properties and memberships.
   • Risks: Exposure of group membership details, which could aid in social engineering attacks.

2. Groups.ReadWrite.All

   • Description: Allows full control over group properties and memberships.
   • Risks: High risk of unauthorized group modifications affecting access and security.

3. Group.ReadWrite.All

   • Description: Allows reading and writing all group properties and memberships.
   • Risks: Unauthorized group modifications can disrupt access controls.

4. GroupMember.Read.All

   • Description: Allows reading group memberships.
   • Risks: Similar to Groups.Read.All, can expose membership details.

5. GroupMember.ReadWrite.All

   • Description: Allows reading and writing group memberships.
   • Risks: Unauthorized changes to group memberships can alter access controls.

6. Member.Read.Hidden

   • Description: Allows reading hidden group memberships.
   • Risks: Exposure of sensitive membership information.

Service Principal Permissions

1. ServicePrincipalEndPoint.ReadWrite.All
   • Description: Allows managing service principal endpoints.
   • Risks: Misconfiguration or unauthorized changes can disrupt service integrations.

Exchange Online Permissions

1. Mail.Read

   • Description: Allows reading a user's email messages.
   • Risks: Unauthorized access to sensitive information, phishing, or social engineering attacks.

2. Mail.ReadBasic

   • Description: Allows reading basic email metadata (e.g., subject, sender).
   • Risks: Exposure of metadata can aid in targeted attacks or profiling.

3. Mail.ReadBasic.All

   • Description: Allows reading basic email metadata for all users.
   • Risks: Increases risk of organization-wide profiling and targeted attacks.

4. Mail.ReadWrite.All

   • Description: Allows reading and writing emails for all users.
   • Risks: High risk of unauthorized access and modification, leading to data breaches or communication manipulation.

5. Mail.Send

   • Description: Allows sending emails as any user.
   • Risks: Unauthorized sending can result in phishing, spam, or impersonation.

6. MailboxSettings.Read

   • Description: Allows reading a user's mailbox settings.
   • Risks: Reveals configuration details that might be exploited.

7. MailboxSettings.ReadWrite

   • Description: Allows reading and writing a user's mailbox settings.
   • Risks: Unauthorized changes can disrupt email delivery or alter security settings.

8. Exchange.ManageAsApp

   • Description: Allows managing Exchange data and settings at an organizational level.
   • Risks: Broad access poses a high risk of data exposure and unauthorized changes.

Calendars and Contacts Permissions

1. Calendars.Read

   • Description: Allows reading a user's calendar events.
   • Risks: Exposure of events can reveal sensitive information about meetings and plans.

2. Calendars.ReadWrite

   • Description: Allows reading and writing a user's calendar events.
   • Risks: Unauthorized modifications can disrupt schedules or manipulate event details.

3. Contacts.Read

   • Description: Allows reading a user's contacts.
   • Risks: Access to contact information can aid in social engineering or unauthorized data collection.

4. Contacts.ReadWrite

   • Description: Allows reading and writing a user's contacts.
   • Risks: Unauthorized changes can lead to data integrity issues or manipulation.

Files (SharePoint/OneDrive) Permissions

1. Files.Read.All

   • Description: Allows reading all files user can access.
   • Risks: Unauthorized access to sensitive files.

2. Files.ReadWrite.All

   • Description: Allows reading and writing all files user can access.
   • Risks: Potential for data tampering or unauthorized data access.

3. Sites.ReadWrite.All

   • Description: Allows full control over all SharePoint sites.
   • Risks: Unauthorized data modification, deletion, or exposure of sensitive information.

Activity and Feed Permissions

1. ActivityFeed.Read
   • Description: Allows reading activity feed data.
   • Risks: Exposure of activity data, which could reveal patterns or sensitive operations.

[tkol2022]

For any of the permissions that we are unsure about, we may need to develop and execute adversary emulation tests to determine what the actual risks are with a specific permission (i.e. what the attacker can actually do in M365 if they had that permission).

[mitchelbaker-cisa]

For any of the permissions that we are unsure about, we may need to develop and execute adversary emulation tests to determine what the actual risks are with a specific permission (i.e. what the attacker can actually do in M365 if they had that permission).

Definitely, some hands-on testing of each permission would help to determine their respective level of risk. I'll create a separate issue to develop/execute adversary emulation tests with this initial list of risky permissions, as to break out the scope of this task accordingly. We can continue to use this issue as the place for prototyping code to report on risky API permissions.

Created #1371 for handling adversary tests.