AAD report error due to invalid JSON result

[Strawberryww]

🐛 Summary

When using ScubaGear 1.5.0 to scan AAD, it reports the following error:

unable to parse input: yaml: line 12: found unknown escape character
Fatal Error involving the Report Creation.                                                                                           Ending ScubaGear execution. Error: Invalid JSON primitive: .

at New-Report, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\CreateReport\CreateReport.psm1: line 66
at Invoke-ReportCreation<Process>, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1: line 1277
at Invoke-SCuBA<Process>, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1: line 440
at <ScriptBlock>, <No file>: line 1
At C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1:1371 char:13
+             throw $InvokeReportErrorMessage
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Fatal Error inv...o file>: line 1:String) [], RuntimeException
    + FullyQualifiedErrorId : Fatal Error involving the Report Creation.
            Ending ScubaGear execution. Error: Invalid JSON primitive: .

at New-Report, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\CreateReport\CreateReport.psm1: line 66
at Invoke-ReportCreation<Process>, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1: line 1277
at Invoke-SCuBA<Process>, C:\ScubaGear-1.5.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1: line 440
at <ScriptBlock>, <No file>: line 1

To reproduce

My Azure tenant can always reproduces the error, but another tenant is OK.

The invoke command is as below:

Invoke-SCuBA -ProductNames aad -CertificateThumbprint "<Thumbprint>" -AppID "<AppId>" -Organization <Org> -Outpath <outputPath>

Env:
ScubaGear: 1.5.0
Powershell: 5.1.19041.5369
Windows 10 Pro: 10.0.19045 N/A Build 19045

Expected behavior

There should be no such error.

Any helpful log output or screenshots

The generated JSON result is as below:

    ...
    "risky_third_party_service_principals": ,
    "aad_successful_commands": [
    "Get-MgBetaIdentityConditionalAccessPolicy",
    "Get-MgBetaSubscribedSku",
    "Get-PrivilegedUser",
    "Get-PrivilegedRole",
    "Get-MgBetaUserCount",
    ...

The risky_third_party_service_principals field is missing its value.

Possibly the error is related to the following code in PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1:

Error in PowerShell:

[mitchelbaker-cisa]

Hey @Strawberryww, thanks for reporting this issue. We have replicated the bug and are looking into a fix. Are you seeing any results for the risky_applications object above risky_third_party_service_principals?

[Strawberryww]

@mitchelbaker-cisa Thanks. Yes, there is result for the risky_applications object above risky_third_party_service_principals:

[mitchelbaker-cisa]

I created a new branch that adds additional error handling to the Format-RiskyThirdPartyServicePrincipals function. The issue seems to stem from the function returning @($null), which PowerShell internally converts to $null. The null value is handled as an invalid JSON primitive when we generate the ScubaResults.json file, resulting in the error message you have attached above.

Do you mind downloading a zip of the new branch to test out the fix? It can be found here:
https://github.com/cisagov/ScubaGear/archive/refs/heads/1607-risky-sps-invalid-json.zip

After importing it in a new PowerShell terminal, run Import-Module .\PowerShell\ScubaGear, then run ScubaGear in either interactive/noninteractive mode, the Entra ID report should generate correctly.

[Strawberryww]

@mitchelbaker-cisa Thanks for your analysis. I've tried the fix with https://github.com/cisagov/ScubaGear/archive/refs/heads/1607-risky-sps-invalid-json.zip, but still get the invalid JSON error:

unable to parse input: yaml: line 12: found unknown escape character
Fatal Error involving the Report Creation.
            Ending ScubaGear execution. Error: Invalid JSON primitive: .

at New-Report, C:\ScubaGear-1607-risky-sps-invalid-json\PowerShell\ScubaGear\Modules\CreateReport\CreateReport.psm1:
line 66
at Invoke-ReportCreation<Process>,
C:\ScubaGear-1607-risky-sps-invalid-json\PowerShell\ScubaGear\Modules\Orchestrator.psm1: line 1277
at Invoke-SCuBA<Process>, C:\ScubaGear-1607-risky-sps-invalid-json\PowerShell\ScubaGear\Modules\Orchestrator.psm1: line
440
at <ScriptBlock>, <No file>: line 1
At C:\ScubaGear-1607-risky-sps-invalid-json\PowerShell\ScubaGear\Modules\Orchestrator.psm1:1371 char:13
+             throw $InvokeReportErrorMessage
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Fatal Error inv...o file>: line 1:String) [], RuntimeException
    + FullyQualifiedErrorId : Fatal Error involving the Report Creation.
            Ending ScubaGear execution. Error: Invalid JSON primitive: .

    at New-Report, C:\ScubaGear-1607-risky-sps-invalid-json\PowerShell\ScubaGear\Modules\CreateReport\CreateReport.psm1
   : line 66
    at Invoke-ReportCreation<Process>, C:\ScubaGear-1607-risky-sps-invalid-json\PowerShell\ScubaGear\Modules\Orchestrat
   or.psm1: line 1277
    at Invoke-SCuBA<Process>, C:\ScubaGear-1607-risky-sps-invalid-json\PowerShell\ScubaGear\Modules\Orchestrator.psm1:
   line 440
at <ScriptBlock>, <No file>: line 1

There is value for risky_applications object, but not for risky_third_party_service_principals:

I've double checked that the code PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 is new:

Is there any way to save the output to a file before converting to JSON? Then, it's better for analysis. That is:

...
### save the output before the following converting
$RiskyThirdPartySPs = ConvertTo-Json -Depth 3 $Tracker.TryCommand("Format-RiskyThirdPartyServicePrincipals", @{"RiskySPs"=$RiskySPs})
...

Thanks.