Merge branch 'Development' into feature/154-dc-1-extend-log-retrieval…

…-period
T0pCyber · Jan 12, 2025 · cdaf7be · cdaf7be
2 parents 61722ed + 71bdea2
commit cdaf7be
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 6 deletions.
diff --git a/Hawk/changelog.md b/Hawk/changelog.md
@@ -89,9 +89,10 @@
 - Updated Change Log URI.
 - Removed improperly formatted JSON from Get-HawkTenantAdminInboxRuleHistory, Get-HawkTenantAdminInboxRuleRemoval, Get-HawkTenantRBACChange, Get-HawkUserAdminAudit, Search-HawkTenantEXOAuditLog
 
-  3.X.X (2025-X-XX)
+## 3.X.X (2025-X-XX)
 
 - Implemented UTC timestamps to avoid using local timestamps
 - Implemented PROMPT tag to display to screen when prompting user
 - Added functionality to expand detect M365 license type to determine max log retention time
 - Added ability to expand search up to 365 days
+
diff --git a/Hawk/functions/Tenant/Get-HawkTenantConsentGrant.ps1 b/Hawk/functions/Tenant/Get-HawkTenantConsentGrant.ps1
@@ -36,15 +36,64 @@
 
     # Gather the grants using the internal Graph-based implementation
     [array]$Grants = Get-AzureADPSPermission -ShowProgress
+
+    # Create new Property for Consent_Grants output table
+    $Grants | Add-Member -NotePropertyName Flag -NotePropertyValue ""
+
     [bool]$flag = $false
 
+    # Define list of Extremely Dangerous grants
+    [array]$ExtremelyDangerousGrants = "^AppRoleAssignment\.ReadWrite\.All$", "^RoleManagement\.ReadWrite\.Directory$"
+
+    # Define list of High Risk grants
+    [array]$HighRiskGrants = "^BitlockerKey\.Read\.All$", "^Chat\.", "^Directory\.ReadWrite\.All$", "^eDiscovery\.", 
+        "^Files\.", "^MailboxSettings\.ReadWrite$", "^Mail\.ReadWrite$", "^Mail\.Send$", "^Sites\.", "^User\."
+
     # Search the Grants for the listed bad grants that we can detect
-    if ($Grants.ConsentType -contains 'AllPrincipals') {
-        Out-LogFile "Found at least one 'AllPrincipals' Grant" -notice
+
+    #Flag broad-scope grants
+    [int]$BroadGrantCount = 0
+    $Grants | ForEach-Object -Process {
+        if($_.ConsentType -contains 'AllPrincipals' -or $_.Permission -match 'all') {
+            $_.Flag = "Broad-Scope Grant"
+            $BroadGrantCount += 1
+        }
+    }
+
+    if($BroadGrantCount -gt 0) {
+        Out-LogFile "Found $BroadGrantCount Broad-Scope ('AllPrincipals' or '*.All') Grant(s)" -notice
         $flag = $true
     }
-    if ([bool]($Grants.Permission -match 'all')) {
-        Out-LogFile "Found at least one 'All' Grant" -notice
+
+    #Flag Extremely Dangerous grants; if a grant is both broad-scope and E.D., flag as E.D.
+    [int]$EDGrantCount = 0
+    foreach($grant in $ExtremelyDangerousGrants) {
+        $Grants | ForEach-Object -Process {
+            if($_.Permission -match $grant){
+                $_.Flag = "Extremely Dangerous"
+                $EDGrantCount += 1
+            }
+        }
+    }
+
+    if ($EDGrantCount -gt 0) {
+        Out-LogFile "Found $EDGrantCount Extremely Dangerous Grant(s)" -notice
+        $flag = $true
+    }
+
+    #Flag High Risk grants; if a grant is both broad-scope and H.R., flag as H.R.
+    [int]$HRGrantCount = 0
+    foreach($grant in $HighRiskGrants) {
+        $Grants | ForEach-Object -Process {
+            if($_.Permission -match $grant){
+                $_.Flag = "High Risk"
+                $HRGrantCount += 1
+            }
+        }
+    }
+
+    if ($HRGrantCount -gt 0) {
+        Out-LogFile "Found $HRGrantCount High Risk Grant(s)" -notice
         $flag = $true
     }
 

diff --git a/Hawk/internal/functions/Initialize-HawkGlobalObject.ps1 b/Hawk/internal/functions/Initialize-HawkGlobalObject.ps1
@@ -90,7 +90,7 @@
     Function New-LoggingFolder {
         [CmdletBinding(SupportsShouldProcess)]
         param([string]$RootPath)
-    
+
         # Get the current timestamp in the format yyyy-MM-dd HH:mm:ssZ
         $timestamp = (Get-Date).ToUniversalTime().ToString("yyyy-MM-dd HH:mm:ss'Z'")
 
@@ -122,6 +122,7 @@
             }
 
             Return $FullOutputPath
+
         }
         catch {
             # If it fails at any point, display an error message
@@ -296,6 +297,7 @@
                 [DateTime]$StartDate = ((Get-Date).ToUniversalTime().AddDays(-$StartRead)).Date
                 Write-Output ""
                 Out-LogFile -string "Start date set to: $StartDate [UTC]" -Information
+
             }
             # Handle DateTime input
             elseif (!($null -eq ($StartRead -as [DateTime]))) {
@@ -318,6 +320,7 @@
                 if ($StartDate -lt ((Get-Date).ToUniversalTime().AddDays(-365))) {
                     Out-LogFile -string "The date cannot exceed 365 days. Setting to the maximum limit of 365 days." -isWarning
                     [DateTime]$StartDate = ((Get-Date).ToUniversalTime().AddDays(-365)).Date
+
                 }
 
                 Out-LogFile -string "Start Date (UTC): $StartDate" -Information
@@ -370,6 +373,7 @@
                 Out-LogFile -string "End date set to: $EndDate [UTC]`n" -Information
             }
             elseif (!($null -eq ($EndRead -as [DateTime]))) {
+
                 [DateTime]$tempEndDate = (Get-Date $EndRead).ToUniversalTime().Date
 
                 if ($StartDate -gt $tempEndDate) {
@@ -445,6 +449,7 @@
 
         Write-HawkConfigurationComplete -Hawk $Hawk 
 
+
     }
     else {
         Out-LogFile -string "Valid Hawk Object already exists no actions will be taken." -Information

diff --git a/Hawk/internal/functions/Out-LogFile.ps1 b/Hawk/internal/functions/Out-LogFile.ps1
@@ -137,7 +137,9 @@
     $LogOutput = $true
 
     # Get the current date in UTC
+
     [string]$timestamp = (Get-Date).ToUniversalTime().ToString("yyyy-MM-dd HH:mm:ssZ")
+
     [string]$logstring = ""
 
     # Build the log string based on the type of message