-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prototype detection of service principals with risky permissions or credentials #1327
Comments
Initial list of high-risk permissions:
API permissions granting read or write access to all user's mailboxes:
Relevant cmdlets:
All API permissions and their respective uuid can be found here: https://learn.microsoft.com/en-us/graph/permissions-reference |
Really nice work!! Here are some suggestions.
|
High Risk Service Principal PermissionsDirectory Permissions
User Permissions
Group Permissions
Service Principal Permissions
Exchange Online Permissions
Calendars and Contacts Permissions
Files (SharePoint/OneDrive) Permissions
Activity and Feed Permissions
Access Control Permissions
High Risk Application Permissions
|
For any of the permissions that we are unsure about, we may need to develop and execute adversary emulation tests to determine what the actual risks are with a specific permission (i.e. what the attacker can actually do in M365 if they had that permission). |
Definitely, some hands-on testing of each permission would help to determine their respective level of risk. I'll create a separate issue to develop/execute adversary emulation tests with this initial list of risky permissions, as to break out the scope of this task accordingly. We can continue to use this issue as the place for prototyping code to report on risky API permissions. Created #1371 for handling adversary tests. |
Thanks, added to the list. |
💡 Summary
As part of the epic related to improving the security of M365 service principals, the scope of this issue is to perform hands-on prototyping to develop a method and code that ScubaGear could use to report on service principals that have risky MS Graph and other permissions. A secondary feature is to report on service principals that have credentials assigned to them.
Literature for reference
Example code:
https://github.com/12Knocksinna/Office365itpros/blob/master/ReportPermissionsApps.PS1
https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L430
Example permissions list:
https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/apps/risky-aad-app-perms/
https://www.tenable.com/indicators/ioe/entra/DANGEROUS-API-PERMISSIONS-AFFECTING-THE-TENANT
Implementation notes
https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/
https://www.semperis.com/blog/unoauthorized-privilege-elevation-through-microsoft-applications/
The text was updated successfully, but these errors were encountered: