Moved 'Azure - Enumerate Azure Blobs with MicroBurst' from T1530 to T1619 (#3120)
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
This commit is contained in:
Manuel Kuß
@@ -1,48 +1,6 @@
|
||||
attack_technique: T1530
|
||||
display_name: Data from Cloud Storage Object
|
||||
atomic_tests:
|
||||
- name: Azure - Enumerate Azure Blobs with MicroBurst
|
||||
auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
|
||||
description: |
|
||||
Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account.
|
||||
See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ .
|
||||
supported_platforms:
|
||||
- iaas:azure
|
||||
input_arguments:
|
||||
base:
|
||||
description: Azure blob keyword to enumerate (Example, storage account name)
|
||||
type: string
|
||||
default: secure
|
||||
output_file:
|
||||
description: File to output results to
|
||||
type: string
|
||||
default: $env:temp\T1530Test1.txt
|
||||
wordlist:
|
||||
description: File path to keywords for search permutations
|
||||
type: string
|
||||
default: PathToAtomicsFolder\..\ExternalPayloads\permutations.txt
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
|
||||
prereq_command: |
|
||||
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
|
||||
- description: |
|
||||
The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
|
||||
prereq_command: |
|
||||
if (test-path "#{wordlist}"){exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}"
|
||||
executor:
|
||||
command: |
|
||||
import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
|
||||
Invoke-EnumerateAzureBlobs -base #{base} -permutations "#{wordlist}" -outputfile "#{output_file}"
|
||||
cleanup_command: |
|
||||
remove-item #{output_file} -erroraction silentlycontinue
|
||||
name: powershell
|
||||
- name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
|
||||
auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
|
||||
description: |
|
||||
|
||||
@@ -158,3 +158,45 @@ atomic_tests:
|
||||
Write-Output "Removed #{output_file}"
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
- name: Azure - Enumerate Azure Blobs with MicroBurst
|
||||
auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
|
||||
description: |
|
||||
Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account.
|
||||
See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ .
|
||||
supported_platforms:
|
||||
- iaas:azure
|
||||
input_arguments:
|
||||
base:
|
||||
description: Azure blob keyword to enumerate (Example, storage account name)
|
||||
type: string
|
||||
default: secure
|
||||
output_file:
|
||||
description: File to output results to
|
||||
type: string
|
||||
default: $env:temp\T1530Test1.txt
|
||||
wordlist:
|
||||
description: File path to keywords for search permutations
|
||||
type: string
|
||||
default: PathToAtomicsFolder\..\ExternalPayloads\permutations.txt
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\..\ExternalPayloads.
|
||||
prereq_command: |
|
||||
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"){exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||||
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
|
||||
- description: |
|
||||
The wordlist file for search permutations must exist in PathToAtomicsFolder\..\ExternalPayloads.
|
||||
prereq_command: |
|
||||
if (test-path "#{wordlist}"){exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}"
|
||||
executor:
|
||||
command: |
|
||||
import-module "PathToAtomicsFolder\..\ExternalPayloads\Invoke-EnumerateAzureBlobs.ps1"
|
||||
Invoke-EnumerateAzureBlobs -base #{base} -permutations "#{wordlist}" -outputfile "#{output_file}"
|
||||
cleanup_command: |
|
||||
remove-item #{output_file} -erroraction silentlycontinue
|
||||
name: powershell
|
||||
Reference in New Issue
Block a user