public async Task <HashSet <string> > Groups()
{
try
{
var groupsCollectionPage = await _microsoftGraphApiHelper.GetGroups();
var groups = new HashSet <string>();
await groupsCollectionPage.ForEachAsync(async _ =>
{
var groupMembersList = await _microsoftGraphApiHelper.GetGroupMembers(_.Id);
var groupMembers = BloodHoundHelper.BuildGroupMembersList(groupMembersList);
BloodHoundHelper.GroupMembership(_, groupMembers);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.GroupMembership(_, groupMembers);
}
groups.Add(_.DisplayName);
});
return(groups);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(Groups)} {ex.Message} {ex.InnerException}");
return(null);
}
}
public async Task <HashSet <string> > Users()
{
try
{
var users = await _microsoftGraphApiHelper.GetUsers();
var usersDisplayNames = new HashSet <string>();
users
.Where(_ => _.DisplayName != null)
.ForEach(_ =>
{
BloodHoundHelper.Users(_);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.Users(_);
}
usersDisplayNames.Add(_.DisplayName);
});
return(usersDisplayNames);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(Users)} {ex.Message} {ex.InnerException}");
return(null);
}
}
public async Task <List <string> > RunAzureActiveDirectoryApplication()
{
var deviceOwners = await DeviceOwners();
var directoryRoles = await DirectoryRoles();
var domains = await Domains();
var groups = await Groups();
var users = await Users();
var interactiveLogons = await InteractiveLogOns();
await AppSignIns();
await BloodHoundHelper.Waiter();
return(new List <string>
{
$"{nameof(DeviceOwners)} | {deviceOwners.Count} ",
$"{nameof(DirectoryRoles)} | {directoryRoles.ToDelimitedString(", ")}",
$"{nameof(Domains)} | {domains.ToDelimitedString(", ")}",
$"{nameof(Groups)} | {groups.ToDelimitedString(", ")}",
$"{nameof(Users)} | {users.ToDelimitedString(", ")}",
$"{nameof(InteractiveLogOns)} | {interactiveLogons.Count()}"
});
}
public async Task <HashSet <Microsoft.Graph.DirectoryObject> > DeviceOwners()
{
try
{
var directoryRoles = await _microsoftGraphApiHelper.GetDirectoryRoles();
var devices = await _microsoftGraphApiHelper.GetDevices();
HashSet <Microsoft.Graph.DirectoryObject> ownersList = new HashSet <Microsoft.Graph.DirectoryObject>();
await devices.
Where(_ => _.DisplayName != null).
ForEachAsync(async _ =>
{
_deviceObjectIdToDeviceId.Add(_.DeviceId, _.Id);
var ownerList = (await _microsoftGraphApiHelper.GetRegisteredOwners(_.Id))
.Where(__ => __ != null).ToList();
BloodHoundHelper.DeviceOwners(_, ownerList);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.DeviceOwners(_, ownerList, directoryRoles);
}
ownersList.UnionWith(ownerList);
});
return(ownersList);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(DeviceOwners)} {ex.Message} {ex.InnerException}");
return(null);
}
}
public async Task <HashSet <string> > DirectoryRoles()
{
try
{
var directoryRoles = await GraphServiceHelper.GetDirectoryRolesAsync(_graphClient, _httpContext);
var userIds = await GraphServiceHelper.GetUsersAsync(_graphClient, _httpContext);
var administrators = new HashSet <string>();
var directoryRolesNames = new HashSet <string>();
await directoryRoles.ForEachAsync(async _ =>
{
var roleMembers = await GraphServiceHelper.GetDirectoryRoleMembers(_graphClient, _httpContext, _.Id);
var members = Extensions.DirectoryRoleMembersResultsToList(roleMembers);
BloodHoundHelper.DirectoryRoleMembership(_, members);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.DirectoryRoleMembership(_, members);
GetDeviceAdministratorsIds(_.DisplayName, members, administrators);
CosmosDbGraphHelper.DirectoryRolePermissions(_, userIds, administrators);
}
directoryRolesNames.Add(_.DisplayName);
});
return(directoryRolesNames);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(DirectoryRoles)} {ex.Message} {ex.InnerException}");
return(null);
}
}
public async Task <List <string> > RunAzureActiveDirectoryApplication()
{
var applications = await Applications(); //Directory.Read.All
var deviceOwners = await DeviceOwners(); //Directory.Read.All
var directoryRoles = await DirectoryRoles(); //Directory.Read.All
var domains = await Domains(); //Directory.Read.All
var groups = await Groups(); //Group.Read.All or Directory.Read.All
var users = await Users(); //User.Read.All, Directory.Read.All,
var interactiveLogins = await InteractiveLogins(); // AuditLog.Read.All and Directory.Read.All
var servicePrincipals = await ServicePrincipals(); // Application.ReadWrite.All, Directory.Read.All
await BloodHoundHelper.Waiter();
return(new List <string>
{
$"{nameof(DeviceOwners)} | {deviceOwners?.Count} ",
$"{nameof(DirectoryRoles)} | {directoryRoles?.Count}",
$"{nameof(Domains)} | {domains?.Count}",
$"{nameof(Groups)} | {groups?.Count}",
$"{nameof(Users)} | {users}",
$"{nameof(InteractiveLogins)} | {interactiveLogins?.Count}",
$"{nameof(ServicePrincipals)} | {servicePrincipals}",
$"{nameof(Applications)} | {applications}"
});
}
public async Task <List <InteractiveLogon> > InteractiveLogOns()
{
try
{
var signIns = await _microsoftGraphApiHelper.GetSignIns();
var interactiveLogOns = new List <InteractiveLogon>();
signIns
.Where(_ => _.ClientAppUsed?.Equals("Mobile Apps and Desktop clients",
StringComparison.OrdinalIgnoreCase) == true)
.Where(_ => _.ResourceDisplayName?.Equals("Windows Azure Active Directory",
StringComparison.OrdinalIgnoreCase) == true)
.Where(_ => _.CreatedDateTime.HasValue &&
_.CreatedDateTime.Value.UtcDateTime.IsNotOlderThan(2.Days()))
.ForEach(_ =>
{
interactiveLogOns.Add(
new InteractiveLogon(
_.DeviceDetail,
_.Location,
_.UserId,
_.CreatedDateTime.GetValueOrDefault().UtcDateTime,
_.UserDisplayName));
});
interactiveLogOns.DistinctBy(_ => new { _.UserId, _.DeviceId });
interactiveLogOns.
Where(_ => _.UserId != null &&
_.UserDisplayName != null &&
_.DeviceDisplayName != null).
ForEach(_ =>
{
BloodHoundHelper.InteractiveLogOns(_);
if (Startup.IsCosmosDbGraphEnabled)
{
CosmosDbGraphHelper.InteractiveLogOns(_, _deviceObjectIdToDeviceId);
}
});
return(interactiveLogOns);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(InteractiveLogOns)} {ex.Message} {ex.InnerException}");
return(null);
}
}
public async Task <HashSet <string> > Domains()
{
try
{
var domainResults = await _microsoftGraphApiHelper.GetDomains();
var domains = new HashSet <string>();
domainResults.ForEach(_ => {
domains.Add(_.Id);
BloodHoundHelper.Domains(_);
});
return(domains);
}
catch (Exception ex)
{
_logger.Error(ex, $"{nameof(Domains)} {ex.Message} {ex.InnerException}");
return(null);
}
}
