From fc5a75efd1891d2ad0a24a5ea201a63876d0e5ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Tue, 21 Feb 2023 14:33:47 +0100 Subject: [PATCH] Use -Filter instead of Where-Object to improve perf and avoid missed items -Filter is the recommended way to filter objects because it filters them at the source (AAD) instead of fetching everything and filtering on the client. So the perf are better. Moreover, by default the cmdlets returns a limited number of items so it can miss stuff (except if using -All like it was done in some cases) --- atomics/T1098/T1098.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml index cfcac453..f49c423a 100644 --- a/atomics/T1098/T1098.yaml +++ b/atomics/T1098/T1098.yaml @@ -172,9 +172,9 @@ atomic_tests: $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword Connect-AzureAD -Credential $Credential - $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'" if ($user -eq $null) { Write-Warning "User not found"; exit } - $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'" if ($role -eq $null) { Write-Warning "Role not found"; exit } Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role" @@ -184,9 +184,9 @@ atomic_tests: $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword Connect-AzureAD -Credential $Credential -ErrorAction Ignore - $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + $user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}'" if ($user -eq $null) { Write-Warning "User not found"; exit } - $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'" if ($role -eq $null) { Write-Warning "Role not found"; exit } Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId @@ -238,9 +238,9 @@ atomic_tests: $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword Connect-AzureAD -Credential $Credential - $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"} + $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '#{service_principal_name}'" if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } - $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'" if ($role -eq $null) { Write-Warning "Role not found"; exit } Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)" @@ -250,9 +250,9 @@ atomic_tests: $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword Connect-AzureAD -Credential $Credential -ErrorAction Ignore - $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"} + $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '#{service_principal_name}'" if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } - $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + $role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'" if ($role -eq $null) { Write-Warning "Role not found"; exit } Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId @@ -466,10 +466,10 @@ atomic_tests: $aadApplication = New-AzureADApplication -DisplayName "#{application_name}" $servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId - #$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"} + #$aadApplication = Get-AzureADApplication -Filter "DisplayName eq '#{application_name}'" #Get Service Principal of Microsoft Graph Resource API - $graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Microsoft Graph"} + $graphSP = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'" #Initialize RequiredResourceAccess for Microsoft Graph Resource API $requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess @@ -500,7 +500,7 @@ atomic_tests: #Set permissions in existing Azure AD App Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess - $servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId} + $servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '$aadApplication.AppId'" New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id @@ -510,7 +510,7 @@ atomic_tests: $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword Connect-AzureAD -Credential $Credential - $aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"} + $aadApplication = Get-AzureADApplication -Filter "DisplayName eq '#{application_name}'" Remove-AzureADApplication -ObjectId $aadApplication.ObjectId name: powershell