diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 4931adaa..1a6d47fd 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -484,3 +484,45 @@ atomic_tests: Remove-MpPreference -ExclusionProcess $excludedProcess name: powershell elevation_required: true +- name: office-365-Disable-AntiPhishRule + description: | + Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization. + supported_platforms: + - office-365 + input_arguments: + username: + description: office-365 username + type: String + default: + password: + description: office-365 password + type: String + default: + dependency_executor_name: powershell + dependencies: + - description: | + ExchangeOnlineManagement PowerShell module must be installed + prereq_command: | + $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name ExchangeOnlineManagement + Import-Module ExchangeOnlineManagement + executor: + command: | + $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force + $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd + Connect-ExchangeOnline -Credential $creds + $test = Get-AntiPhishRule + Disable-AntiPhishRule -Identity $test.Name -Confirm:$false + Get-AntiPhishRule + cleanup_command: | + $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force + $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd + Connect-ExchangeOnline -Credential $creds + $test = Get-AntiPhishRule + Enable-AntiPhishRule -Identity $test.Name -Confirm:$false + Get-AntiPhishRule + name: powershell + elevation_required: false