public async Task <HashSet <Microsoft.Graph.DirectoryObject> > DeviceOwners()
{
try
{
var directoryRoles = await _microsoftGraphApiHelper.GetDirectoryRoles();
var devices = await _microsoftGraphApiHelper.GetDevices();
HashSet <Microsoft.Graph.DirectoryObject> ownersList = new HashSet <Microsoft.Graph.DirectoryObject>();
await devices.
Where(_ => _.DisplayName != null).
ForEachAsync(async _ =>
{
_deviceObjectIdToDeviceId.Add(_.DeviceId, _.Id);
var ownerList = (await _microsoftGraphApiHelper.GetRegisteredOwners(_.Id))
.Where(__ => __ != null).ToList();
BloodHoundHelper.DeviceOwners(_, ownerList);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.DeviceOwners(_, ownerList, directoryRoles);
}
ownersList.UnionWith(ownerList);
});
return(ownersList);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(DeviceOwners)} {ex.Message} {ex.InnerException}");
return(null);
}
}
public async Task <HashSet <string> > Groups()
{
try
{
var groupsCollectionPage = await _microsoftGraphApiHelper.GetGroups();
var groups = new HashSet <string>();
await groupsCollectionPage.ForEachAsync(async _ =>
{
var groupMembersList = await _microsoftGraphApiHelper.GetGroupMembers(_.Id);
var groupMembers = BloodHoundHelper.BuildGroupMembersList(groupMembersList);
BloodHoundHelper.GroupMembership(_, groupMembers);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.GroupMembership(_, groupMembers);
}
groups.Add(_.DisplayName);
});
return(groups);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(Groups)} {ex.Message} {ex.InnerException}");
return(null);
}
}
public async Task <HashSet <string> > Users()
{
try
{
var users = await _microsoftGraphApiHelper.GetUsers();
var usersDisplayNames = new HashSet <string>();
users
.Where(_ => _.DisplayName != null)
.ForEach(_ =>
{
BloodHoundHelper.Users(_);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.Users(_);
}
usersDisplayNames.Add(_.DisplayName);
});
return(usersDisplayNames);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(Users)} {ex.Message} {ex.InnerException}");
return(null);
}
}
public async Task <HashSet <string> > DirectoryRoles()
{
try
{
var directoryRoles = await GraphServiceHelper.GetDirectoryRolesAsync(_graphClient, _httpContext);
var userIds = await GraphServiceHelper.GetUsersAsync(_graphClient, _httpContext);
var administrators = new HashSet <string>();
var directoryRolesNames = new HashSet <string>();
await directoryRoles.ForEachAsync(async _ =>
{
var roleMembers = await GraphServiceHelper.GetDirectoryRoleMembers(_graphClient, _httpContext, _.Id);
var members = Extensions.DirectoryRoleMembersResultsToList(roleMembers);
BloodHoundHelper.DirectoryRoleMembership(_, members);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.DirectoryRoleMembership(_, members);
GetDeviceAdministratorsIds(_.DisplayName, members, administrators);
CosmosDbGraphHelper.DirectoryRolePermissions(_, userIds, administrators);
}
directoryRolesNames.Add(_.DisplayName);
});
return(directoryRolesNames);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(DirectoryRoles)} {ex.Message} {ex.InnerException}");
return(null);
}
}
public async Task <int> Applications()
{
try
{
var applications = await GraphServiceHelper.GetApplications(_graphClient);
applications.ForEach(async _ =>
{
try
{
var owners = await GraphServiceHelper.GetApplicationsOwner(_graphClient, _.Id);
CosmosDbGraphHelper.AppOwnership(_, owners);
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
);
return(applications.Count);
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
return(0);
}
public async Task AppSignIns()
{
try
{
var appsPermissions = await _microsoftGraphApiHelper.GetAppsPermission();
var servicePrincipals = await _microsoftGraphApiHelper.GetServicePrincipals();
var appIdToNameDictionary = new Dictionary <string, string>();
servicePrincipals.ForEach(_ =>
appIdToNameDictionary.Add(
_["id"].Value <string>(),
_["appDisplayName"].Value <string>())
);
var appIdToPermissionsSetDictionary = new Dictionary <string, HashSet <string> >();
appsPermissions.ForEach(_ =>
{
var permissionsSet = _["scope"].Value <string>().Split(' ').ToHashSet();
var appId = _["clientId"].Value <string>();
var principalId = _["principalId"].Value <string>();
appIdToNameDictionary.TryGetValue(appId, out var appDisplayName);
appIdToPermissionsSetDictionary.CreateOrUpdate(
appDisplayName ?? appId,
() => permissionsSet,
__ => __.Union(permissionsSet).ToHashSet()
);
//BloodHoundHelper.Applications(appDisplayName ?? appId, permissionsSet, principalId);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.Applications(appDisplayName, appId, permissionsSet, principalId);
}
});
/*
* Creating connections based on permissions
* foreach (var (appId, appDisplayName) in appIdToNameDictionary)
* {
* var vertex = new GremlinVertex(appId, nameof(Application));
* vertex.AddProperty(CosmosDbHelper.CollectionPartitionKey, appId.GetHashCode());
* vertex.AddProperty(nameof(appDisplayName), appDisplayName?.ToUpper() ?? string.Empty);
* gremlinVertices.Add(vertex);
* }
*
* var mailBoxes = new GremlinVertex("MailBoxes", "MailBoxes");
* mailBoxes.AddProperty(CosmosDbHelper.CollectionPartitionKey, "MailBoxes".GetHashCode());
* gremlinVertices.Add(mailBoxes);*/
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(AppSignIns)} {ex.Message} {ex.InnerException}");
}
}
public async Task <List <InteractiveLogon> > InteractiveLogOns()
{
try
{
var signIns = await _microsoftGraphApiHelper.GetSignIns();
var interactiveLogOns = new List <InteractiveLogon>();
signIns
.Where(_ => _.ClientAppUsed?.Equals("Mobile Apps and Desktop clients",
StringComparison.OrdinalIgnoreCase) == true)
.Where(_ => _.ResourceDisplayName?.Equals("Windows Azure Active Directory",
StringComparison.OrdinalIgnoreCase) == true)
.Where(_ => _.CreatedDateTime.HasValue &&
_.CreatedDateTime.Value.UtcDateTime.IsNotOlderThan(2.Days()))
.ForEach(_ =>
{
interactiveLogOns.Add(
new InteractiveLogon(
_.DeviceDetail,
_.Location,
_.UserId,
_.CreatedDateTime.GetValueOrDefault().UtcDateTime,
_.UserDisplayName));
});
interactiveLogOns.DistinctBy(_ => new { _.UserId, _.DeviceId });
interactiveLogOns.
Where(_ => _.UserId != null &&
_.UserDisplayName != null &&
_.DeviceDisplayName != null).
ForEach(_ =>
{
BloodHoundHelper.InteractiveLogOns(_);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.InteractiveLogOns(_, _deviceObjectIdToDeviceId);
}
});
return(interactiveLogOns);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(InteractiveLogOns)} {ex.Message} {ex.InnerException}");
return(null);
}
}
public static async Task <List <string> > GetUsersAsync(GraphServiceClient graphClient, HttpContext httpContext)
{
IUserDeltaCollectionPage userPage = new UserDeltaCollectionPage();
userPage.InitializeNextPageRequest(
graphClient,
graphClient.
Users.
Delta().
Request().
Select("Id,displayName,userPrincipalName,mail").
RequestUrl);
var pageRequestCount = 0;
var userIds = new List <string>();
do
{
userPage = await userPage.NextPageRequest.GetAsync(CancellationToken.None);
userPage
.Where(_ => _.DisplayName != null)
.ForEach(_ =>
{
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.Users(_);
userIds.Add(_.Id);
}
});
pageRequestCount++;
}while (userPage.NextPageRequest != null && pageRequestCount < _maxPageRequestsPerTenant);
return(userIds);
}
public async Task <int> ServicePrincipals()
{
try
{
var appsPermissions = await GraphServiceHelper.GetAppsPermission(_graphClient, _httpContext);
var principalsPermissions = await GraphServiceHelper.GetDirectoryAudits(_graphClient, _httpContext);
var servicePrincipals = await GraphServiceHelper.GetServicePrincipals(_graphClient, _httpContext);
var principalIdToPermissions = new Dictionary <string, HashSet <string> >();
principalsPermissions.ForEach(_ =>
{
principalIdToPermissions.TryAdd(
_.TargetResources.First().Id,
ToHashSetExtension.ToHashSet(_.TargetResources.First().ModifiedProperties.First(__ => __.DisplayName == "ConsentAction.Permissions").NewValue.Split("Scope:").Last().
Split("]").First().Split(" ").Where(__ => __ != ""))
);
});
var appIdToPermissionsSetDictionary = new Dictionary <string, HashSet <string> >();
appsPermissions.ForEach(_ =>
{
var permissionsSet =
ToHashSetExtension.ToHashSet(Newtonsoft.Json.Linq.Extensions.Value <string>(_["scope"])
.Split(' '));
var appId = Newtonsoft.Json.Linq.Extensions.Value <string>(_["clientId"]);
appIdToPermissionsSetDictionary.TryAdd(appId, permissionsSet);
});
var appIdToNameDictionary = new Dictionary <string, Tuple <string, string, string, string> >();
servicePrincipals.ForEach(_ =>
appIdToNameDictionary.Add(
Newtonsoft.Json.Linq.Extensions.Value <string>(_["id"]),
new Tuple <string, string, string, string>(
Newtonsoft.Json.Linq.Extensions.Value <string>(_["appId"]),
Newtonsoft.Json.Linq.Extensions.Value <string>(_["displayName"]),
Newtonsoft.Json.Linq.Extensions.Value <string>(_["homepage"]),
Newtonsoft.Json.Linq.Extensions.Value <string>(_["appOwnerOrganizationId"])
)));
appIdToNameDictionary.ForEach(_ =>
{
appIdToPermissionsSetDictionary.TryGetValue(_.Key, out var appPermissions);
principalIdToPermissions.TryGetValue(_.Key, out var principalPermissions);
if (Startup.IsCosmosDbGraphEnabled && (principalPermissions != null || appPermissions != null))
{
if (principalPermissions != null)
{
CosmosDbGraphHelper.Applications(_.Value.Item2, _.Value.Item1, principalPermissions, UserIds, _.Key, _.Value.Item3, _.Value.Item4);
}
else
{
CosmosDbGraphHelper.Applications(_.Value.Item2, _.Key, appPermissions, UserIds, _.Value.Item1, _.Value.Item3, _.Value.Item4);
}
}
});
return(appIdToNameDictionary.Count);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(ServicePrincipals)} {ex.Message} {ex.InnerException}");
}
return(0);
}
