Prototype detection of service principals with risky permissions or credentials

[tkol2022]

💡 Summary

As part of the epic related to improving the security of M365 service principals, the scope of this issue is to perform hands-on prototyping to develop a method and code that ScubaGear could use to report on service principals that have risky MS Graph and other permissions. A secondary feature is to report on service principals that have credentials assigned to them.

Literature for reference

Example code:
https://github.com/12Knocksinna/Office365itpros/blob/master/ReportPermissionsApps.PS1
https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L430
Example permissions list:
https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/apps/risky-aad-app-perms/
https://www.tenable.com/indicators/ioe/entra/DANGEROUS-API-PERMISSIONS-AFFECTING-THE-TENANT

Implementation notes

• Develop an initial list of Graph permissions that could be considered high risk if abused. For example the RoleManagement.ReadWrite.Directory permission allows attackers to elevate themselves to the Global Administrator role.
• Write some code or document a set of cmdlets to report on a list of service principals with these permissions
• Write code or document a set of cmdlets to report on a list of service principals with credentials (certificate or secret) assigned to them
• Read the articles below and see if they describe a different security problem that would require a different audit strategy or if what they describe is already covered with the reporting features covered in this issue.
  https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/
  https://www.semperis.com/blog/unoauthorized-privilege-elevation-through-microsoft-applications/
• Determine how this functionality could be incorporated into ScubaGear
• Create separate issue to update ScubaGear if needed.

[mitchelbaker-cisa]

Initial list of high-risk permissions:

• Application.ReadWrite.All
• AppRoleAssignment.ReadWrite.All
• Directory.AccessAsUser.All
• Directory.Read.All
• Directory.ReadWrite.All
• RoleManagement.ReadWrite.Directory
• Groups.Read.All
• Group.ReadWrite.All
• GroupMember.Read.All
• GroupMember.ReadWrite.All
• Groups.ReadWrite.All
• User.ReadWrite.All
• User.Read.All
• User.Export.All
• Member.Read.Hidden
• Files.Read.All
• Files.ReadWrite.All
• ActivityFeed.Read
• ServicePrincipalEndPoint.ReadWrite.All

API permissions granting read or write access to all user's mailboxes:

• Mail.Read
• Mail.ReadBasic
• Mail.ReadBasic.All
• Mail.ReadWrite.All
• Mail.Send
• MailboxSettings.Read
• MailboxSettings.ReadWrite
• Calendars.Read
• Calendars.ReadWrite
• Contacts.Read
• Contacts.ReadWrite
• Exchange.ManageAsApp
• Sites.ReadWrite.All

Relevant cmdlets:

• Get-AzADServicePrincipal
• Get-AzADApplication
• Get-AzureADServiceAppRoleAssignedTo
• Get-MgServicePrincipal
• Get-MgServicePrincipalAppRoleAssignment
• Get-MgApplicationFederatedIdentityCredential

All API permissions and their respective uuid can be found here: https://learn.microsoft.com/en-us/graph/permissions-reference

[tkol2022]

Really nice work!! Here are some suggestions.

• Replace the cmdlets that begin with Get-Az with Get-Mg equivalents since we use Graph PowerShell instead of Azure PowerShell
• Renamed the cmdlet Get-AzureADServiceAppRoleAssignedTo to Get-MgServicePrincipalAppRoleAssignedTo
• For each of the permissions, it would be good to have a sentence that describes the operations that the permission grants and why the permission is risky. I created a separate comment for you below with an initial draft. Please update that comment and we can maintain it perpetually by adding more permissions or tweaking the existing ones.
• I recommend grouping the permissions into categories to make it easier to read them and maintain them. I recommend the following categories at a minimum. Directory permissions, Service principal permissions, Exchange Online permissions, Sharepoint / OneDrive permissions. For example the permission Sites.ReadWrite.All would be placed into the Sharepoint / OneDrive category.

[tkol2022]

High Risk Service Principal Permissions

Directory Permissions

1. Application.ReadWrite.All

   • Description: Allows reading and writing all application properties and configurations.
   • Risks: Misuse can lead to unauthorized app creation or modification, potentially introducing vulnerabilities or backdoors.

2. AppRoleAssignment.ReadWrite.All

   • Description: Allows managing app role assignments for any user or service principal.
   • Risks: Can lead to privilege escalation if roles are improperly assigned.

3. Directory.AccessAsUser.All

   • Description: Allows the app to access the directory as the signed-in user.
   • Risks: High risk if compromised, as it can perform actions on behalf of any user.

4. Directory.Read.All

   • Description: Allows reading directory data.
   • Risks: Exposure of sensitive directory information if accessed by unauthorized entities.

5. Directory.ReadWrite.All

   • Description: Allows reading and writing directory data.
   • Risks: Potential for unauthorized changes to directory data, impacting security and operations.

6. RoleManagement.ReadWrite.Directory

   • Description: Allows managing role assignments in the directory.
   • Risks: Incorrect role assignments can lead to privilege escalation. Attackers may be able to elevate themselves to the Global Administrator role.

7. RoleManagement.ReadWrite.Exchange

   • Description: Allows reading and writing Exchange Online RBAC configurations
   • Risks: Incorrect role assignments can lead to privilege escalation in Exchange.

8. Application.ReadWrite.OwnedBy

   • Description: This permission allows the app to read and write the properties of applications that it owns in the directory.
   • Risks: It enables modification of app configurations, which can lead to security vulnerabilities if the app is compromised. An attacker could manipulate these apps to bypass authentication or escalate privileges, potentially leading to unauthorized access to data or resources.

User Permissions

1. User.ReadWrite.All

   • Description: Allows reading and writing all user profiles.
   • Risks: Unauthorized changes to user profiles can lead to identity theft or privilege escalation.

2. User.Read.All

   • Description: Allows reading all user profiles.
   • Risks: Exposure of user information, which could be used for phishing or social engineering.

3. User.Export.All

   • Description: Allows exporting user data.
   • Risks: High risk of data leakage if user data is exported without proper controls.

Group Permissions

1. Group.Read.All

   • Description: Allows reading all group properties and memberships.
   • Risks: Exposure of group membership details, which could aid in social engineering attacks.

2. Group.ReadWrite.All

   • Description: Allows reading and writing all group properties and memberships.
   • Risks: High risk of unauthorized group modifications affecting access and security.

3. GroupMember.Read.All

   • Description: Allows reading group memberships.
   • Risks: Similar to Groups.Read.All, can expose membership details.

4. GroupMember.ReadWrite.All

   • Description: Allows reading and writing group memberships.
   • Risks: Unauthorized changes to group memberships can alter access controls.

5. Member.Read.Hidden

   • Description: Allows reading hidden group memberships.
   • Risks: Exposure of sensitive membership information.

Service Principal Permissions

1. ServicePrincipalEndPoint.ReadWrite.All
   • Description: Allows managing service principal endpoints.
   • Risks: Misconfiguration or unauthorized changes can disrupt service integrations.

Exchange Online Permissions

1. Mail.Read

   • Description: Allows reading a user's email messages.
   • Risks: Unauthorized access to sensitive information, phishing, or social engineering attacks.

2. Mail.ReadBasic

   • Description: Allows reading basic email metadata (e.g., subject, sender).
   • Risks: Exposure of metadata can aid in targeted attacks or profiling.

3. Mail.ReadBasic.All

   • Description: Allows reading basic email metadata for all users.
   • Risks: Increases risk of organization-wide profiling and targeted attacks.

4. Mail.ReadWrite

   • Description: Allows reading and writing emails for all users.
   • Risks: High risk of unauthorized access and modification, leading to data breaches or communication manipulation.

5. Mail.Send

   • Description: Allows sending emails as any user.
   • Risks: Unauthorized sending can result in phishing, spam, or impersonation.

6. MailboxSettings.Read

   • Description: Allows reading a user's mailbox settings.
   • Risks: Reveals configuration details that might be exploited.

7. MailboxSettings.ReadWrite

   • Description: Allows reading and writing a user's mailbox settings.
   • Risks: Unauthorized changes can disrupt email delivery or alter security settings.

8. Exchange.ManageAsApp (covered in Office 365 Exchange Online)

   • Description: Allows managing Exchange data and settings at an organizational level.
   • Risks: Broad access poses a high risk of data exposure and unauthorized changes.

Calendars and Contacts Permissions

1. Calendars.Read

   • Description: Allows reading a user's calendar events.
   • Risks: Exposure of events can reveal sensitive information about meetings and plans.

2. Calendars.ReadWrite

   • Description: Allows reading and writing a user's calendar events.
   • Risks: Unauthorized modifications can disrupt schedules or manipulate event details.

3. Contacts.Read

   • Description: Allows reading a user's contacts.
   • Risks: Access to contact information can aid in social engineering or unauthorized data collection.

4. Contacts.ReadWrite

   • Description: Allows reading and writing a user's contacts.
   • Risks: Unauthorized changes can lead to data integrity issues or manipulation.

5. CallRecords.Read.All

   • Description: This permission allows access to read details of all PSTN (Public Switched Telephone Network) call records.
   • Risks: PSTN call records often contain sensitive information, including who called whom, when, and for how long. Exposing this data could lead to privacy concerns or data breaches, especially in regulated industries.

6. CallRecord-PstnCalls.Read.All

   • Description: This permission allows read access to all call records within the organization.
   • Risks: Similar to the PSTN call record permission, this provides broad access to sensitive communication data. A breach of this data could reveal internal communications, relationships between users, or other confidential information.

Files (SharePoint/OneDrive) Permissions

1. Files.Read.All

   • Description: Allows reading all files user can access.
   • Risks: Unauthorized access to sensitive files.

2. Files.ReadWrite.All

   • Description: Allows reading and writing all files user can access.
   • Risks: Potential for data tampering or unauthorized data access.

3. Sites.ReadWrite.All

   • Description: Allows full control over all SharePoint sites.
   • Risks: Unauthorized data modification, deletion, or exposure of sensitive information.

4. Sites.FullControl.All

   • Description: Allows the application to manage all SharePoint Online content and settings.
   • Risks: An attacker could exfiltrate sensitive information on a large scale, change site or folder-level permissions, grant access to other accounts, adding external sharing links, or creating backdoors for ongoing access.

Activity and Feed Permissions

1. ActivityFeed.Read (part of Office 365 Management APIs)

   • Description: Allows reading activity feed data.
   • Risks: Exposure of activity data, which could reveal patterns or sensitive operations.

2. ActivityFeed.ReadDlp (part of Office 365 Management APIs)

   • Description: Allows reading of DLP policy events.
   • Risks: Exposure of DLP incidents could provide insights into an organization's sensitive assets and data governance practices.

Access Control Permissions

1. Policy.ReadWrite.ConditionalAccess

   • Description: This permission allows the app read and write your organization's conditional access policies
   • Risks: This permission allows modification of conditional access policies, potentially enabling attackers to bypass security controls or weaken access restrictions, leading to unauthorized access and increased risk of data breaches.

2. Policy.Read.All

   • Description: Allows the app to read all your organization's policies without a signed in user.
   • Risks: An attacker could gain detailed knowledge on security configurations, or around missing MFA enforcement for critical privileged roles.

High Risk Application Permissions

1. Exchange.ManageAsApp

   • Description: Allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects.
   • Risks: Allows the application to act at an organizational level without specific user context or consent, allowing an attacker to potentially read or modify emails across an organization.

2. full_access_as_app

   • Description: Allows the app to have full access via Exchange Web Services to all mailboxes without a signed-in user.
   • Risks: Full visibility to all mailboxes without user consent.

[tkol2022]

For any of the permissions that we are unsure about, we may need to develop and execute adversary emulation tests to determine what the actual risks are with a specific permission (i.e. what the attacker can actually do in M365 if they had that permission).

[mitchelbaker-cisa]

For any of the permissions that we are unsure about, we may need to develop and execute adversary emulation tests to determine what the actual risks are with a specific permission (i.e. what the attacker can actually do in M365 if they had that permission).

Definitely, some hands-on testing of each permission would help to determine their respective level of risk. I'll create a separate issue to develop/execute adversary emulation tests with this initial list of risky permissions, as to break out the scope of this task accordingly. We can continue to use this issue as the place for prototyping code to report on risky API permissions.

Created #1371 for handling adversary tests.

[tkol2022]

I think we should add the Office 365 Exchange Online permission named full_access_as_app. This provides what could be considered risky permissions. See screenshot below for details.

[mitchelbaker-cisa]

I think we should add the Office 365 Exchange Online permission named full_access_as_app. This provides what could be considered risky permissions. See screenshot below for details.

Thanks, added to the list.