Azurehound enhancement - Local group user rights from Intune

.gitignore

@@ -232,3 +232,7 @@ tags
 
 # Built Visual Studio Code Extensions
 *.vsix
+.github/workflows/cla.yml
+.github/workflows/vuln-scan.yml
+/.github
+get_token.ps1

client/client.go

@@ -25,15 +25,41 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"time"
 
 	"github.com/bloodhoundad/azurehound/v2/client/config"
 	"github.com/bloodhoundad/azurehound/v2/client/query"
 	"github.com/bloodhoundad/azurehound/v2/client/rest"
 	"github.com/bloodhoundad/azurehound/v2/models/azure"
+	"github.com/bloodhoundad/azurehound/v2/models/intune"
 	"github.com/bloodhoundad/azurehound/v2/panicrecovery"
 	"github.com/bloodhoundad/azurehound/v2/pipeline"
 )
 
+// SignInEvent represents a sign-in event from Microsoft Graph
+type SignInEvent struct {
+	ID                string    `json:"id"`
+	CreatedDateTime   time.Time `json:"createdDateTime"`
+	UserDisplayName   string    `json:"userDisplayName"`
+	UserPrincipalName string    `json:"userPrincipalName"`
+	UserId            string    `json:"userId"`
+	AppDisplayName    string    `json:"appDisplayName"`
+	ClientAppUsed     string    `json:"clientAppUsed"`
+	IPAddress         string    `json:"ipAddress"`
+	IsInteractive     bool      `json:"isInteractive"`
+	Status            struct {
+		ErrorCode int `json:"errorCode"`
+	} `json:"status"`
+	DeviceDetail struct {
+		DeviceId        string `json:"deviceId"`
+		DisplayName     string `json:"displayName"`
+		OperatingSystem string `json:"operatingSystem"`
+		IsCompliant     bool   `json:"isCompliant"`
+	} `json:"deviceDetail"`
+	RiskState           string `json:"riskState"`
+	RiskLevelAggregated string `json:"riskLevelAggregated"`
+}
+
 func NewClient(config config.Config) (AzureClient, error) {
 	if msgraph, err := rest.NewRestClient(config.GraphUrl(), config); err != nil {
 		return nil, err
@@ -175,8 +201,36 @@ type azureClient struct {
 }
 
 type AzureGraphClient interface {
+
+	// Add these method signatures to the AzureGraphClient interface in client/client.go
+
+	// User Role Assignment Methods
+	ListUserAppRoleAssignments(ctx context.Context, userID string, params query.GraphParams) <-chan AzureResult[azure.AppRoleAssignment]
+
+	// Sign-in Activity Methods
+	ListSignIns(ctx context.Context, params query.GraphParams) <-chan AzureResult[azure.SignIn]
+
+	// Device Registration Methods
+	GetDeviceRegisteredUsers(ctx context.Context, deviceId string, params query.GraphParams) <-chan AzureResult[json.RawMessage]
+	GetDeviceRegisteredOwners(ctx context.Context, deviceId string, params query.GraphParams) <-chan AzureResult[json.RawMessage]
+
+	// High-level Collection Methods
+	CollectGroupMembershipData(ctx context.Context) <-chan AzureResult[azure.GroupMembershipData]
+	CollectUserRoleAssignments(ctx context.Context) <-chan AzureResult[azure.UserRoleData]
+	CollectDeviceAccessData(ctx context.Context) <-chan AzureResult[azure.DeviceAccessData]
+
+	ValidateScriptDeployment(ctx context.Context) error
 	GetAzureADOrganization(ctx context.Context, selectCols []string) (*azure.Organization, error)
 
+	ListIntuneDevices(ctx context.Context, params query.GraphParams) <-chan AzureResult[azure.IntuneDevice]
+	ExecuteRegistryCollectionScript(ctx context.Context, deviceID string) (*azure.ScriptExecution, error)
+	GetScriptExecutionResults(ctx context.Context, scriptID string) <-chan AzureResult[azure.ScriptExecutionResult]
+	WaitForScriptCompletion(ctx context.Context, scriptID string, maxWaitTime time.Duration) (*azure.RegistryData, error)
+	CollectRegistryDataFromDevice(ctx context.Context, deviceID string) (*azure.RegistryData, error)
+	CollectRegistryDataFromAllDevices(ctx context.Context) <-chan AzureResult[azure.DeviceRegistryData]
+	GetDeployedScriptID(ctx context.Context, scriptName string) (string, error)
+	TriggerScriptExecution(ctx context.Context, scriptID, deviceID string) error
+
 	ListAzureADGroups(ctx context.Context, params query.GraphParams) <-chan AzureResult[azure.Group]
 	ListAzureADGroupMembers(ctx context.Context, objectId string, params query.GraphParams) <-chan AzureResult[json.RawMessage]
 	ListAzureADGroupOwners(ctx context.Context, objectId string, params query.GraphParams) <-chan AzureResult[json.RawMessage]
@@ -221,6 +275,15 @@ type AzureClient interface {
 
 	TenantInfo() azure.Tenant
 	CloseIdleConnections()
+
+	CollectSessionDataDirectly(ctx context.Context) <-chan AzureResult[azure.DeviceSessionData]
+	GetUserSignInActivity(ctx context.Context, userPrincipalName string, days int) ([]SignInEvent, error)
+	GetDeviceSignInActivity(ctx context.Context, deviceId string, days int) ([]SignInEvent, error)
+
+	// Add Intune methods
+	ListIntuneManagedDevices(ctx context.Context, params query.GraphParams) <-chan AzureResult[intune.ManagedDevice]
+	GetIntuneDeviceCompliance(ctx context.Context, deviceId string, params query.GraphParams) <-chan AzureResult[intune.ComplianceState]
+	GetIntuneDeviceConfiguration(ctx context.Context, deviceId string, params query.GraphParams) <-chan AzureResult[intune.ConfigurationState]
 }
 
 func (s azureClient) TenantInfo() azure.Tenant {

client/intune_devices.go

@@ -0,0 +1,62 @@
+// File: client/intune_devices.go
+// Copyright (C) 2022 SpecterOps
+// Implementation of Intune device management API calls
+
+package client
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/bloodhoundad/azurehound/v2/client/query"
+	"github.com/bloodhoundad/azurehound/v2/constants"
+	"github.com/bloodhoundad/azurehound/v2/models/intune"
+)
+
+func setDefaultParams(params *query.GraphParams) {
+    if params.Top == 0 {
+        params.Top = 999
+    }
+}
+
+// ListIntuneManagedDevices retrieves all managed devices from Intune
+// GET /deviceManagement/managedDevices
+func (s *azureClient) ListIntuneManagedDevices(ctx context.Context, params query.GraphParams) <-chan AzureResult[intune.ManagedDevice] {
+    var (
+        out  = make(chan AzureResult[intune.ManagedDevice])
+        path = fmt.Sprintf("/%s/deviceManagement/managedDevices", constants.GraphApiVersion)
+    )
+
+    setDefaultParams(&params)
+
+    go getAzureObjectList[intune.ManagedDevice](s.msgraph, ctx, path, params, out)
+    return out
+}
+
+// GetIntuneDeviceCompliance retrieves compliance information for a specific device
+// GET /deviceManagement/managedDevices/{id}/deviceCompliancePolicyStates
+func (s *azureClient) GetIntuneDeviceCompliance(ctx context.Context, deviceId string, params query.GraphParams) <-chan AzureResult[intune.ComplianceState] {
+    var (
+        out  = make(chan AzureResult[intune.ComplianceState])
+        path = fmt.Sprintf("/%s/deviceManagement/managedDevices/%s/deviceCompliancePolicyStates", constants.GraphApiVersion, deviceId)
+    )
+
+    setDefaultParams(&params)
+
+    go getAzureObjectList[intune.ComplianceState](s.msgraph, ctx, path, params, out)
+    return out
+}
+
+// GetIntuneDeviceConfiguration retrieves configuration information for a specific device
+// GET /deviceManagement/managedDevices/{id}/deviceConfigurationStates
+func (s *azureClient) GetIntuneDeviceConfiguration(ctx context.Context, deviceId string, params query.GraphParams) <-chan AzureResult[intune.ConfigurationState] {
+    var (
+        out  = make(chan AzureResult[intune.ConfigurationState])
+        path = fmt.Sprintf("/%s/deviceManagement/managedDevices/%s/deviceConfigurationStates", constants.GraphApiVersion, deviceId)
+    )
+
+    setDefaultParams(&params)
+
+    go getAzureObjectList[intune.ConfigurationState](s.msgraph, ctx, path, params, out)
+    return out
+}

client/intune_groups_direct.go

@@ -0,0 +1,225 @@
+// client/intune_groups_direct.go
+package client
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/bloodhoundad/azurehound/v2/client/query"
+	"github.com/bloodhoundad/azurehound/v2/constants"
+	"github.com/bloodhoundad/azurehound/v2/models/azure"
+)
+
+// ListUserAppRoleAssignments - Get app role assignments for a user (User Rights)
+func (s *azureClient) ListUserAppRoleAssignments(ctx context.Context, userID string, params query.GraphParams) <-chan AzureResult[azure.AppRoleAssignment] {
+	var (
+		out  = make(chan AzureResult[azure.AppRoleAssignment])
+		path = fmt.Sprintf("/%s/users/%s/appRoleAssignments", constants.GraphApiVersion, userID)
+	)
+
+	if params.Top == 0 {
+		params.Top = 999
+	}
+
+	go getAzureObjectList[azure.AppRoleAssignment](s.msgraph, ctx, path, params, out)
+	return out
+}
+
+// ListSignIns - Get sign-in activity (for active sessions context)
+func (s *azureClient) ListSignIns(ctx context.Context, params query.GraphParams) <-chan AzureResult[azure.SignIn] {
+	var (
+		out  = make(chan AzureResult[azure.SignIn])
+		path = fmt.Sprintf("/%s/auditLogs/signIns", constants.GraphApiVersion)
+	)
+
+	if params.Top == 0 {
+		params.Top = 100 // Sign-ins can be large datasets
+	}
+
+	go getAzureObjectList[azure.SignIn](s.msgraph, ctx, path, params, out)
+	return out
+}
+
+// GetDeviceRegisteredUsers - Get users registered to a device
+func (s *azureClient) GetDeviceRegisteredUsers(ctx context.Context, deviceId string, params query.GraphParams) <-chan AzureResult[json.RawMessage] {
+	var (
+		out  = make(chan AzureResult[json.RawMessage])
+		path = fmt.Sprintf("/%s/devices/%s/registeredUsers", constants.GraphApiVersion, deviceId)
+	)
+
+	go getAzureObjectList[json.RawMessage](s.msgraph, ctx, path, params, out)
+	return out
+}
+
+// GetDeviceRegisteredOwners - Get owners of a device
+func (s *azureClient) GetDeviceRegisteredOwners(ctx context.Context, deviceId string, params query.GraphParams) <-chan AzureResult[json.RawMessage] {
+	var (
+		out  = make(chan AzureResult[json.RawMessage])
+		path = fmt.Sprintf("/%s/devices/%s/registeredOwners", constants.GraphApiVersion, deviceId)
+	)
+
+	go getAzureObjectList[json.RawMessage](s.msgraph, ctx, path, params, out)
+	return out
+}
+
+// CollectGroupMembershipData - Collect all group membership data using existing methods
+func (s *azureClient) CollectGroupMembershipData(ctx context.Context) <-chan AzureResult[azure.GroupMembershipData] {
+	out := make(chan AzureResult[azure.GroupMembershipData])
+
+	go func() {
+		defer close(out)
+
+		// Use existing ListAzureADGroups method
+		groups := s.ListAzureADGroups(ctx, query.GraphParams{})
+
+		for groupResult := range groups {
+			if groupResult.Error != nil {
+				out <- AzureResult[azure.GroupMembershipData]{Error: groupResult.Error}
+				continue
+			}
+
+			group := groupResult.Ok
+
+			// Use existing ListAzureADGroupMembers method - fix field name
+			members := s.ListAzureADGroupMembers(ctx, group.Id, query.GraphParams{})
+
+			var membersList []json.RawMessage
+			for memberResult := range members {
+				if memberResult.Error != nil {
+					continue // Skip individual member errors
+				}
+				membersList = append(membersList, memberResult.Ok)
+			}
+
+			// Use existing ListAzureADGroupOwners method - fix field name
+			owners := s.ListAzureADGroupOwners(ctx, group.Id, query.GraphParams{})
+
+			var ownersList []json.RawMessage
+			for ownerResult := range owners {
+				if ownerResult.Error != nil {
+					continue // Skip individual owner errors
+				}
+				ownersList = append(ownersList, ownerResult.Ok)
+			}
+
+			groupData := azure.GroupMembershipData{
+				Group:   group,
+				Members: membersList,
+				Owners:  ownersList,
+			}
+
+			out <- AzureResult[azure.GroupMembershipData]{Ok: groupData}
+		}
+	}()
+
+	return out
+}
+
+// CollectUserRoleAssignments - Collect user rights assignments from Graph API
+func (s *azureClient) CollectUserRoleAssignments(ctx context.Context) <-chan AzureResult[azure.UserRoleData] {
+	out := make(chan AzureResult[azure.UserRoleData])
+
+	go func() {
+		defer close(out)
+
+		// Use existing ListAzureADUsers method
+		users := s.ListAzureADUsers(ctx, query.GraphParams{})
+
+		for userResult := range users {
+			if userResult.Error != nil {
+				out <- AzureResult[azure.UserRoleData]{Error: userResult.Error}
+				continue
+			}
+
+			user := userResult.Ok
+
+			// Get app role assignments for this user - fix field name
+			roleAssignments := s.ListUserAppRoleAssignments(ctx, user.Id, query.GraphParams{})
+
+			var assignments []azure.AppRoleAssignment
+			for assignmentResult := range roleAssignments {
+				if assignmentResult.Error != nil {
+					continue // Skip individual assignment errors
+				}
+				assignments = append(assignments, assignmentResult.Ok)
+			}
+
+			userData := azure.UserRoleData{
+				User:            user,
+				RoleAssignments: assignments,
+			}
+
+			out <- AzureResult[azure.UserRoleData]{Ok: userData}
+		}
+	}()
+
+	return out
+}
+
+// CollectDeviceAccessData - Collect device access and ownership data
+func (s *azureClient) CollectDeviceAccessData(ctx context.Context) <-chan AzureResult[azure.DeviceAccessData] {
+	out := make(chan AzureResult[azure.DeviceAccessData])
+
+	go func() {
+		defer close(out)
+
+		// Get all Intune devices
+		devices := s.ListIntuneDevices(ctx, query.GraphParams{})
+
+		for deviceResult := range devices {
+			if deviceResult.Error != nil {
+				out <- AzureResult[azure.DeviceAccessData]{Error: deviceResult.Error}
+				continue
+			}
+
+			device := deviceResult.Ok
+
+			// Try to find corresponding Azure AD device using existing method
+			azureDevices := s.ListAzureDevices(ctx, query.GraphParams{
+				Filter: fmt.Sprintf("deviceId eq '%s'", device.AzureADDeviceID),
+			})
+
+			var azureDevice *azure.Device
+			for azureDeviceResult := range azureDevices {
+				if azureDeviceResult.Error == nil {
+					deviceData := azureDeviceResult.Ok
+					azureDevice = &deviceData
+					break
+				}
+			}
+
+			var registeredUsers []json.RawMessage
+			var registeredOwners []json.RawMessage
+
+			if azureDevice != nil {
+				// Get registered users - fix field name
+				users := s.GetDeviceRegisteredUsers(ctx, azureDevice.Id, query.GraphParams{})
+				for userResult := range users {
+					if userResult.Error == nil {
+						registeredUsers = append(registeredUsers, userResult.Ok)
+					}
+				}
+
+				// Get registered owners - fix field name
+				owners := s.GetDeviceRegisteredOwners(ctx, azureDevice.Id, query.GraphParams{})
+				for ownerResult := range owners {
+					if ownerResult.Error == nil {
+						registeredOwners = append(registeredOwners, ownerResult.Ok)
+					}
+				}
+			}
+
+			deviceAccessData := azure.DeviceAccessData{
+				IntuneDevice:     device,
+				AzureDevice:      azureDevice,
+				RegisteredUsers:  registeredUsers,
+				RegisteredOwners: registeredOwners,
+			}
+
+			out <- AzureResult[azure.DeviceAccessData]{Ok: deviceAccessData}
+		}
+	}()
+
+	return out
+}