-
Notifications
You must be signed in to change notification settings - Fork 36
Expand file tree
/
Copy pathGet-PersistenceConfiguration.ps1
More file actions
545 lines (520 loc) · 24.5 KB
/
Get-PersistenceConfiguration.ps1
File metadata and controls
545 lines (520 loc) · 24.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
##############################################################################################
#This sample script is not supported under any Microsoft standard support program or service.
#Microsoft further disclaims all implied warranties including, without limitation, any implied
#warranties of merchantability or of fitness for a particular purpose. The entire risk arising
#out of the use or performance of the sample script and documentation remains with you. In no
#event shall Microsoft, its authors, or anyone else involved in the creation, production, or
#delivery of the scripts be liable for any damages whatsoever (including, without limitation,
#damages for loss of business profits, business interruption, loss of business information,
#or other pecuniary loss) arising out of the use of or inability to use the sample script or
#documentation, even if Microsoft has been advised of the possibility of such damages.
##############################################################################################
<#
.Parameter UserPrincipalName
UPN of the user whose configuration to report
.Parameter StartDate
Beginning of search window in audit logs. Defaults to seven days (and current time) ago.
.Parameter EndDate
End of search window in audit logs. Defaults to current date/time.
.Example
.\Get-PersistenceConfiguration.ps1 johndoe@contoso.com
.Example
.\Get-PersistenceConfiguration.ps1 johndoe@contoso.com -StartDate (Get-Date).AddDays(-14)
.Notes
Version: 2.0
Date: November 4, 2025
#>
[CmdletBinding()]
param (
[parameter(Mandatory=$true,ValueFromPipeline=$true,Position=0)]
[ValidateScript({ForEach-Object{if ((Get-Command -Name Get-Mailbox) -and (Get-Mailbox -Identity $_)) {$true}
else {throw "Either you are not connected to Exchange Online or $_ is not a valid mailbox identity."}}
})]
[Alias("Identity")][string]$UserPrincipalName,
[parameter(Mandatory=$false)][datetime]$StartDate = (Get-Date).AddDays(-7),
[parameter(Mandatory=$false)][datetime]$EndDate = (Get-Date).AddDays(1)
)
#requires -Modules ExchangeOnlineManagement
function Write-ProgressHelper ($activity) {
Write-Progress -Activity "Checking for persistence configured by account $UserPrincipalName" -Status 'Overall Progress' `
-CurrentOperation $activity -PercentComplete ((($script:step++)/$totalSteps)*100) -Id 1
}
function Get-UALData {
Write-ProgressHelper -Activity 'Searching Unified Audit Log for relevant activities'
# The certificates and secrets operation uses Unicode character 2013 (not 002d) for the dash and has a trailing space
$operations = @('Update application – Certificates and secrets management ','New-InboxRule','Set-InboxRule',
'UpdateInboxRules','Set-Mailbox','AddFolderPermissions','ModifyFolderPermissions','RemoveFolderPermissions',
'Set-MailboxCalendarFolder','CompanyLinkCreated', 'SecureLinkCreated', 'AnonymousLinkCreated',
'AnonymousLinkUpdated','AddedToSecureLink','AddedToSharingLink','MemberAdded','AddMemberToGroup.',
'Add owner to group.','EditFlow','CreateFlow','Set-MailboxJunkEmailConfiguration','Consent to application.',
'PowerAppPermissionEdited','PublishPowerApp','New-JournalRule','Set-JournalRule','New-TransportRule',
'Set-TransportRule','Add-MailboxPermission')
$results = @()
$sId = "Persistence" + (-join ((65..90) | Get-Random -Count 5 | ForEach-Object {[char]$_}))
do {
# Query the UAL using back-end paging until all results are returned
$rCount = $results.Count
$results += Search-UnifiedAuditLog -UserIds $UserPrincipalName -Operations $operations -StartDate $StartDate -EndDate $EndDate -Formatted -SessionCommand ReturnLargeSet -SessionId $sId -ResultSize 500
} until ($rCount -eq $results.Count)
return $results
}
#region Persistence Check Functions
function Get-MailboxRules {
Write-ProgressHelper -Activity 'Checking Inbox rules'
# Get inbox rules that forward/redirect or delete
$rules = Get-InboxRule -Mailbox $UserPrincipalName | Where-Object {($_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo -or $_.DeleteMessage -or $_.SoftDeleteMessage)}
if ($rules) {
# Determine if rules were created/modified during search window
$auditLogOwaRules = $ualResults | Where-Object {$_.Operations -in @('New-InboxRule','Set-InboxRule')} | Sort-Object -Property Identity -Unique
$auditLogMapiRules = $ualResults | Where-Object {$_.Operations -in @('UpdateInboxRules')} | Sort-Object -Property Identity -Unique
foreach ($ruleEntry in $rules) {
$ruleAction = @()
if ($ruleEntry.ForwardTo) {
$ruleAction += 'ForwardTo:' + $ruleEntry.ForwardTo[0].Substring(0,$ruleEntry.ForwardTo[0].IndexOf(' ')).Replace('"','')
}
if ($ruleEntry.RedirectTo) {
$ruleAction += 'RedirectTo:' + $ruleEntry.RedirectTo[0].Substring(0,$ruleEntry.RedirectTo[0].IndexOf(' ')).Replace('"','')
}
if ($ruleEntry.ForwardAsAttachmentTo) {
$ruleAction += 'ForwardAsAttachmentTo:' + $ruleEntry.ForwardAsAttachmentTo[0].Substring(0,$ruleEntry.ForwardAsAttachmentTo[0].IndexOf(' ')).Replace('"','')
}
if ($ruleEntry.DeleteMessage) {
$ruleAction += 'DeleteMessage'
}
if ($ruleEntry.SoftDeleteMessage) {
$ruleAction += 'SoftDeleteMessage'
}
if ($auditLogOwaRules) { # Rules edited in OWA
foreach ($logEntry in $auditLogOwaRules) {
$runDate = $null
# Check if matching rule name exists in audit log
$auditData = $logEntry.AuditData | ConvertFrom-Json
$ruleName = $auditData.ObjectId.Substring($auditData.ObjectId.LastIndexOf('\') + 1)
if ($ruleEntry.Name -eq $ruleName) {
$runDate = ([datetime]$logEntry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
break
}
}
}
elseif ($auditLogMapiRules) { # Rules edited in Outlook MAPI
foreach ($logEntry in $auditLogMapiRules) {
$runDate = $null
$auditData = $logEntry.AuditData | ConvertFrom-Json
$ruleName = $auditData.OperationProperties | Where-Object {$_.Name -eq 'RuleName'} | Select-Object -ExpandProperty Value
if ($ruleEntry.Name -eq $ruleName) {
$runDate = ([datetime]$auditData.CreationTime).ToLocalTime() # CreationTime is stored in UTC
break
}
}
}
[PSCustomObject]@{
Check = 'Inbox Rule'
User = $UserPrincipalName
RuleName = $ruleEntry.Name
RuleAction = $ruleAction
Enabled = $ruleEntry.Enabled
Date = if ($runDate) {$runDate} else {'OutsideOfSearchWindow'}
}
}
}
}
function Get-OWAForwarding {
Write-ProgressHelper -Activity 'Checking OWA (SMTP) forwarding'
# Check for mail forwarding via ForwardingSMTPAddress
$mb = Get-Mailbox -Identity $UserPrincipalName
if ($mb.ForwardingSmtpAddress) {
$checkForwardOutput = [PSCustomObject] @{
Check = 'SMTP Forwarding'
User = $UserPrincipalName
ForwardingAddress = $mb.ForwardingSmtpAddress
Date = $null
}
# Search audit log to see if forwarding was set during search window
$auditLogForward = $ualResults | Where-Object {$_.Operations -eq 'Set-Mailbox'} | Sort-Object -Property Identity -Unique | Sort-Object -Property CreationDate -Descending
if ($auditLogForward) {
foreach ($logEntry in $auditLogForward) {
$auditData = $logEntry.AuditData | ConvertFrom-Json
$propValue = $auditData.Parameters | Where-Object {$_.Name -eq 'ForwardingSmtpAddress'} | Select-Object -ExpandProperty Value
if ($propValue -eq $mb.ForwardingSmtpAddress) {
$runDate = ([datetime]$logEntry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
break
}
}
}
$checkForwardOutput.Date = if ($runDate) {$runDate} else {'OutsideOfSearchWindow'}
$checkForwardOutput
}
}
function Get-UserConsents {
Write-ProgressHelper -Activity 'Checking user-based application consents'
$operations = @('Consent to application.')
$auditConsent = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique
if ($auditConsent) {
foreach ($consent in $auditConsent) {
$auditData = $consent.AuditData | ConvertFrom-Json
if (($auditData.ModifiedProperties | Where-Object {$_.Name -eq 'ConsentContext.IsAdminConsent'} | Select-Object -ExpandProperty newValue) -eq $false) {
[PSCustomObject] @{
Check = 'User Consent'
User = $UserPrincipalName
ApplicationName = $auditData.Target | Where-Object {$_.Type -eq 1} | Select-Object -ExpandProperty ID # Type 1 is the app display name
ApplicationId = $auditData.ObjectId
Date = ([datetime]$consent.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
}
function Get-ClientSecretsAdded {
Write-ProgressHelper -Activity 'Checking for certificates and client secrets added to applications'
$operations = @('Update application – Certificates and secrets management ')
foreach ($update in ($ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique)) {
$auditData = $update.AuditData | ConvertFrom-Json
# To know if a key has been added or removed, compare the old and new key values
$keys = $auditData.ModifiedProperties | Where-Object {$_.Name -eq 'KeyDescription'}
# Convert string of keys into array and filter out non-key items
$oldKeys = ($keys | Select-Object -ExpandProperty oldValue).Trim('[', ']').Trim('"').Split('][') | Where-Object {$_ -like 'Key*'}
$newKeys = ($keys | Select-Object -ExpandProperty newValue).Trim('[', ']').Trim('"').Split('][') | Where-Object {$_ -like 'Key*'}
$changedKeys = Compare-Object -ReferenceObject $oldKeys -DifferenceObject $newKeys | Where-Object {$_.SideIndicator -eq '=>'}
foreach ($key in $changedKeys.InputObject) {
# Determine type of key that was added
switch (($key.Split(',') | Where-Object {$_ -like "KeyType*"}).Split('=')[1]) {
Password {$keyType = 'ClientSecret'}
AsymmetricX509Cert {$keyType = 'Certificate'}
}
[PSCustomObject] @{
Check = 'App Cert/Secret Added'
User = $UserPrincipalName
ApplicationName = $auditData.Target | Where-Object {$_.Type -eq 1} | Select-Object -ExpandProperty ID
AppObjectId = ($auditData.Target | Where-Object {$_.ID -like 'Application_*'} | Select-Object -ExpandProperty ID).Substring(12)
KeyType = $keyType
KeyName = ($key.Split(',') | Where-Object {$_ -like "DisplayName*"}).Split('=')[1]
Date = ([datetime]$update.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
function Get-FolderPermissionChanges {
Write-ProgressHelper -Activity 'Checking mailbox folder permissions'
$mailbox = Get-Mailbox -Identity $UserPrincipalName
# Verify mailbox auditing requirements have been met
$orgAuditState = (Get-OrganizationConfig).AuditDisabled
$mailboxOwnerAudit = $mailbox.AuditOwner -contains 'UpdateFolderPermissions'
$userAuditBypass = (Get-MailboxAuditBypassAssociation -Identity $UserPrincipalName).AuditBypassEnabled
Write-Verbose -Message "Org-level mailbox auditing disabled: $orgAuditState; Owner auditing includes UpdateFolderPermissions: $mailboxOwnerAudit; User audit bypass enabled: $mailboxAuditBypass"
if ($orgAuditState -eq $false -and $mailboxOwnerAudit -and $userAuditBypass -eq $false) {
# Checking folder permission additions includes calendar delegate additions,
# so there is no need to check for UpdateCalendarDelegation operation
$operations = @('AddFolderPermissions','ModifyFolderPermissions','RemoveFolderPermissions')
$folderAuditLogs = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique
if ($folderAuditLogs) {
foreach ($logEntry in $folderAuditLogs) {
$auditData = $logEntry.AuditData | ConvertFrom-Json
[PSCustomObject] @{
Check = 'Mailbox Folder Permission Change'
User = $UserPrincipalName
FolderName = "$($auditData.Item.ParentFolder.Name) ($($auditData.Item.ParentFolder.Path.Replace('\\','\')))"
Action = $logEntry.Operations
Assignee = $auditData.Item.ParentFolder.MemberUpn
Permission = $auditData.Item.ParentFolder.MemberRights
Date = ([datetime]$logEntry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
else {
if ($orgAuditState -eq $true) {
Write-Warning -Message 'Changes to mailbox folder permissions was skipped because organization-level mailbox auditing is disabled.'
}
if ($mailboxOwnerAudit -eq $false) {
Write-Warning -Message 'Changes to mailbox folder permissions was skipped because mailbox owner auditing of folder permission changes is not enabled.'
}
if ($userAuditBypass -eq $true) {
Write-Warning -Message "Changes to mailbox folder permissions was skipped because mailbox audit bypass is enabled for $UserPrincipalName."
}
}
}
function Get-CalendarPublishing {
Write-ProgressHelper -Activity 'Checking anonymous calendar publishing'
# Get localized folder name
$primaryCalendarPath = Get-MailboxFolderStatistics -Identity $UserPrincipalName -FolderScope Calendar |
Where-Object {$_.FolderType -eq 'Calendar'} | Select-Object -ExpandProperty FolderPath
$calendarPublishing = Get-MailboxCalendarFolder -Identity "$($UserPrincipalName):\$($primaryCalendarPath.Substring(1))"
if ($calendarPublishing.PublishEnabled) {
$checkCalPubOutput = [PSCustomObject] @{
Check = 'Calendar Publishing'
User = $UserPrincipalName
PublishEnabled = $calendarPublishing.PublishEnabled
Date = $null
}
# Determine if publishing enabled by owner during search window
$operations = @('Set-MailboxCalendarFolder')
$auditLogPublish = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique
if ($auditLogPublish) {
foreach ($logEntry in $auditLogPublish) {
$auditData = $logEntry.AuditData | ConvertFrom-Json
if (($auditData.Parameters | Where-Object {$_.Name -eq 'PublishEnabled'} | Select-Object -ExpandProperty Value) -eq $true) {
$checkCalPubOutput.Date = ([datetime]$logEntry.CreationDate).ToLocalTime() # CreationDate is returned in UTC
break
}
else {
$checkCalPubOutput.Date = 'OutsideOfSearchWindow'
}
}
}
else {
$checkCalPubOutput.Date = 'OutsideOfSearchWindow'
}
$checkCalPubOutput
}
}
function Get-MobileDevices {
Write-ProgressHelper -Activity 'Checking for new/active mobile device partnerships'
$mobileDevices = Get-MobileDeviceStatistics -Mailbox $UserPrincipalName
if ($mobileDevices) {
foreach ($device in $mobileDevices) {
if ($device.FirstSyncTime -gt $StartDate -or $device.LastSyncTime -gt $StartDate) {
[PSCustomObject] @{
Check = 'Mobile Device'
User = $UserPrincipalName
DeviceName = $device.DeviceFriendlyName
DeviceAgent = $device.DeviceUserAgent
FirstSync = $device.FirstSyncTime
LastSync = $device.LastSyncTime
}
}
}
}
}
function Get-FileSharing {
Write-ProgressHelper -Activity 'Checking file sharing'
$operations = @('CompanyLinkCreated', 'SecureLinkCreated', 'AnonymousLinkCreated', 'AnonymousLinkUpdated', 'AddedToSecureLink','AddedToSharingLink')
$auditLinks = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique | Sort-Object -Property CreationDate
if ($auditLinks) {
foreach ($link in $auditLinks) {
$auditData = $link.AuditData | ConvertFrom-Json
if ($auditData.Operation -eq 'AddedToSecureLink' -or $auditData.Operation -eq 'AddedToSharingLink') {
if ($auditData.TargetUserOrGroupName -like '*#EXT#*') {
$recipient = $auditData.TargetUserOrGroupName.Substring(0,$auditData.TargetUserOrGroupName.IndexOf('#EXT#',[System.StringComparison]::InvariantCultureIgnoreCase)) -replace ('_','@')
}
else {
$recipient = $auditData.TargetUserOrGroupName
}
} else {
$recipient = $null
}
[PSCustomObject] @{
Check = 'File Sharing'
User = $UserPrincipalName
Operation = $auditData.Operation
FilePath = $auditData.ObjectId
Recipient = $recipient
Date = ([datetime]$link.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
function Get-TeamMemberAdded {
Write-ProgressHelper -Activity 'Checking Team member additions'
$operations = @('MemberAdded')
$auditMembers = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique
if ($auditMembers) {
foreach ($entry in $auditMembers) {
$auditData = $entry.AuditData | ConvertFrom-Json
foreach ($user in $auditData.Members) {
[PSCustomObject] @{
Check = 'Team Member Add'
User = $UserPrincipalName
Operation = $entry.Operations
Member = if ($user.UPN -like '*#EXT#*') {$user.UPN.Substring(0,$user.UPN.IndexOf('#EXT#',[System.StringComparison]::InvariantCultureIgnoreCase)) -replace ('_','@')} else {$user.UPN}
Team = $auditData.TeamName
Date = ([datetime]$entry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
}
function Get-GroupMemberAdded {
Write-ProgressHelper -Activity 'Checking Microsoft 365 Group member additions'
$operations = @('AddMemberToGroup.','Add owner to group.')
$addedMemberLogs = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique | Sort-Object -Property CreationDate
if ($addedMemberLogs) {
foreach ($entry in $addedMemberLogs) {
$auditData = $entry.AuditData | ConvertFrom-Json
[PSCustomObject] @{
Check = 'Group Member Add'
User = $UserPrincipalName
Operation = $entry.Operations
Member = if ($auditData.ObjectId -like '*#EXT#*') {$auditData.ObjectId.Substring(0,$auditData.ObjectId.IndexOf('#EXT#',[System.StringComparison]::InvariantCultureIgnoreCase)) -replace ('_','@')} else {$auditData.ObjectId}
Group = $auditData.ModifiedProperties | Where-Object {$_.Name -eq 'Group.DisplayName'} | Select-Object -ExpandProperty newValue
Date = ([datetime]$entry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
function Get-UpdatedFlows {
# Details of workflows via PowerShell or Graph is non-existent, but an entry from the audit log
# includes the admin URL of the workflow (for manual further review) as well as the connectors being used
Write-ProgressHelper -Activity 'Checking Power Automate workflows'
$operations = @('EditFlow','CreateFlow')
$auditFlows = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique | Sort-Object -Property CreationDate
if ($auditFlows) {
foreach ($entry in $auditFlows) {
[PSCustomObject] @{
Check = 'Power Automate'
User = $UserPrincipalName
Operation = $auditData.Operation
FlowUrl = $auditData.FlowDetailsUrl
Connectors = $auditData.FlowConnectorNames
Date = ([datetime]$entry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
function Get-OutlookAddIns {
Write-ProgressHelper -Activity 'Checking for custom Mail add-ins'
# Add-ins that have same properties as side-loaded but are default add-ins
# Poll/Polls,Share to Teams,OneNote/Send to OneNote
$ignoreAddIn = @('afde34e6-58a4-4122-8a52-ef402180a878','545d8236-721a-468f-85d8-254eca7cb0da','6b47614e-0125-454b-9f76-bd5aef85ac7b')
# Side-loaded add-ins have a Type of Private and Scope of User
$addins = Get-App -Mailbox $UserPrincipalName | Where-Object {$_.Type -eq 'Private' -and $_.Scope -eq 'User' -and $_.AppId -notin $ignoreAddIn}
if ($addins) {
foreach ($addin in $addins) {
[PSCustomObject] @{
Check = 'Custom Mail Add-In'
User = $UserPrincipalName
AddInName = $addin.DisplayName
Permission = $addin.Requirements
}
}
}
}
function Get-SafeSenderList {
Write-ProgressHelper -Activity 'Checking for modified Safe Senders List'
$operations = @('Set-MailboxJunkEmailConfiguration')
$auditSafeSenders = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique
if ($auditSafeSenders) {
foreach ($entry in $auditSafeSenders) {
$auditData = $entry.AuditData | ConvertFrom-Json
if ($auditData.Parameters.Name -contains 'TrustedSendersAndDomains') {
[PSCustomObject] @{
Check = 'Safe Senders List'
User = $UserPrincipalName
Operation = $entry.Operations
SafeSenders = $auditData.Parameters.Value[[array]::IndexOf($auditData.Parameters.Name,'TrustedSendersAndDomains')] # List is returned as semi-colon-separated string
Date = ([datetime]$entry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
}
function Get-PowerApps {
Write-ProgressHelper -Activity 'Checking PowerApps'
$operations = @('PublishPowerApp','PowerAppPermissionEdited')
$auditPowerApps = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique | Sort-Object -Property CreationDate
if ($auditPowerApps) {
foreach ($entry in $auditPowerApps) {
$auditData = ($entry.AuditData | ConvertFrom-Json).JsonPropertiesCollection | ConvertFrom-Json
if ($entry.Operations -eq 'PowerAppPermissionEdited') {
[PSCustomObject] @{
Check = 'Power Apps'
User = $UserPrincipalName
Operation = $entry.Operations
AppId = $auditData.'powerplatform.analytics.resource.power_app.id'.SubString($auditData.'powerplatform.analytics.resource.power_app.id'.LastIndexOf('/')+1)
Assignee = $auditData.'targetuser.id'
PermissionType = $auditData.'powerplatform.analytics.resource.permission_type'
Date = ([datetime]$entry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
} elseif ($entry.Operations -eq 'PublishPowerApp') {
[PSCustomObject] @{
Check = 'Power Apps'
User = $UserPrincipalName
Operation = $entry.Operations
AppId = $auditData.'powerplatform.analytics.resource.power_app.id'
AppName = $auditData.'powerplatform.analytics.resource.power_app.display_name'
EnvironmentName = $auditData.'powerplatform.analytics.resource.environment.name'
Date = ([datetime]$entry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
}
function Get-ExAdminPersistence {
Write-ProgressHelper -Activity 'Checking for persistence configuration by Exchange administrator'
$operations = @('New-JournalRule','Set-JournalRule','New-TransportRule','Set-TransportRule','Add-MailboxPermission')
$auditExAdmin = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique
if ($auditExAdmin) {
foreach ($entry in $auditExAdmin) {
$auditData = $entry.AuditData | ConvertFrom-Json
if ($entry.Operations -in @('New-JournalRule','Set-JournalRule')) {
[PSCustomObject] @{
Check = 'Exchange Admin Persistence'
User = $UserPrincipalName
Operation = $entry.Operations
RuleName = $auditData.ObjectId
JournalRecipient = $auditData.Parameters | Where-Object {$_.Name -eq 'JournalEmailAddress'} | Select-Object -ExpandProperty Value
Date = ([datetime]$entry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
if ($entry.Operations -in @('New-TransportRule','Set-TransportRule')) {
[PSCustomObject] @{
Check = 'Exchange Admin Persistence'
User = $UserPrincipalName
Operation = $entry.Operations
RuleName = $auditData.ObjectId
Date = ([datetime]$entry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
if ($entry.Operations -eq 'Add-MailboxPermission') {
[PSCustomObject] @{
Check = 'Exchange Admin Persistence'
User = $UserPrincipalName
Operation = $entry.Operations
Mailbox = $auditData.ObjectId
AssigneeId = $auditData.Parameters | Where-Object {$_.Name -eq 'User'} | Select-Object -ExpandProperty Value # This is the Entra object ID
Date = ([datetime]$entry.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
}
function Get-AdminConsentGranted {
Write-ProgressHelper -Activity 'Checking for admin consent grants'
$operations = @('Consent to application.')
$auditConsent = $ualResults | Where-Object {$_.Operations -in $operations} | Sort-Object -Property Identity -Unique
if ($auditConsent) {
foreach ($consent in $auditConsent) {
$auditData = $consent.AuditData | ConvertFrom-Json
if (($auditData.ModifiedProperties | Where-Object {$_.Name -eq 'ConsentContext.IsAdminConsent'} | Select-Object -ExpandProperty newValue) -eq $true) {
[PSCustomObject] @{
Check = 'Admin Consent'
User = $UserPrincipalName
ApplicationName = $auditData.Target | Where-Object {$_.Type -eq 1} | Select-Object -ExpandProperty ID # Type 1 is the app display name
ApplicationId = $auditData.ObjectId
Date = ([datetime]$consent.CreationDate).ToLocalTime() # CreationDate is stored in UTC
}
}
}
}
}
#endregion Persistence Check Functions
#region Start
$step = 0
$totalSteps = 16 # Includes getting logs (but excluding mobile devices)
$ualResults = Get-UALData
Get-MailboxRules
Get-OWAForwarding
Get-FolderPermissionChanges
Get-CalendarPublishing
Get-OutlookAddIns
Get-SafeSenderList
#Get-MobileDevices
Get-UserConsents
Get-FileSharing
Get-TeamMemberAdded
Get-GroupMemberAdded
Get-UpdatedFlows
Get-PowerApps
Get-ExAdminPersistence
Get-ClientSecretsAdded
Get-AdminConsentGranted
#endregion Start