From d3548bd62ea99d9f0855d36ab4c17fafc58a3609 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Sun, 30 Jan 2022 23:13:58 +0100 Subject: [PATCH 1/5] T1098 - adding some Azure atomics --- atomics/T1098/T1098.md | 299 +++++++++++++++++++++++++++++++++++++++ atomics/T1098/T1098.yaml | 286 +++++++++++++++++++++++++++++++++++++ 2 files changed, 585 insertions(+) diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index d6643fc3..8bd36022 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -196,4 +196,303 @@ echo Please run atomic test T1136.003, before running this atomic test +
+ +## Atomic Test #4 - Azure - adding user to Azure AD role +The adversarie want to add user to some Azure AD role. Threat actor +may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, +Privileged authentication administrator (this role can reset Global Administrator password!). +By default, the role Global Reader is assigned to service principal in this test. + +The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD. + +Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type. + +**Supported Platforms:** Azure-ad + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Azure AD username | String | jonh@contoso.com| +| password | Azure AD password | String | p4sswd| +| user_principal_name | Name of the targeted user (user principal) | String | SuperUser| +| role_name | Name of the targeted role | String | Global Reader| + + + +#### Attack Commands: Run with `powershell`! + +```powershell +Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential + + $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + if ($user -eq $null) { Write-Warning "User not found"; exit } + $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId + Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role" +``` + +#### Cleanup Commands: +```powershell +Import-Module -Name AzureAD -ErrorAction Ignore + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential -ErrorAction Ignore + + $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + if ($user -eq $null) { Write-Warning "User not found"; exit } + $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId + Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role" +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: AzureAD module must be installed. +##### Check Prereq Commands: +```powershell +try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AzureAD -Force +``` + +
+
+ +## Atomic Test #5 - Azure - adding service principal to Azure AD role +The adversarie want to add service principal to some Azure AD role. Threat actor may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, Privileged authentication administrator (this role can reset Global Administrator password!). +By default, the role Global Reader is assigned to service principal in this test. + +The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD. + +Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type. +**Supported Platforms:** Azure-ad + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Azure AD username | String | jonh@contoso.com| +| password | Azure AD password | String | p4sswd| +| service_principal_name | Name of the targeted service principal | String | SuperSP| +| role_name | Name of the targeted role | String | Global Reader| + + + +#### Attack Commands: Run with `powershell`! + +```powershell +Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential + + $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"} + if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } + $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId + Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)" +``` + +#### Cleanup Commands: +```powershell +Import-Module -Name AzureAD -ErrorAction Ignore + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential -ErrorAction Ignore + + $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"} + if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } + $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId + Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role" +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: AzureAD module must be installed. +##### Check Prereq Commands: +```powershell +try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AzureAD -Force +``` + +
+
+ +## Atomic Test #6 - Azure - adding user to Azure role in subscription +The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor may be +interested primarily in highly privileged roles, e.g. Owner, Contributor. +By default, the role Reader is assigned to user in this test. + +New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group. + +The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write +(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All +and Microsoft Graph Directory.Read.All permissions. + +Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs. + +**Supported Platforms:** iaas:azure + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Azure AD username | String | jonh@contoso.com| +| password | Azure AD password | String | p4sswd| +| user_principal_name | Name of the targeted user (user principal) | String | SuperUser| +| role_name | Name of the targeted role | String | Reader| +| subscription | Name of the targed subscription | String | Azure subscription 1| + + + +#### Attack Commands: Run with `powershell`! + +```powershell +Import-Module -Name Az.Resources + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzAccount -Credential $Credential + + $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + if ($user -eq $null) { Write-Warning "User not found"; exit } + $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} + if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } + $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription + Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)" +``` + +#### Cleanup Commands: +```powershell +Import-Module -Name AzureAD -ErrorAction Ignore + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzAccount -Credential $Credential -ErrorAction Ignore + + $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + if ($user -eq $null) { Write-Warning "User not found"; exit } + $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} + if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } + $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription + Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)" +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Az.Resources module must be installed. +##### Check Prereq Commands: +```powershell +try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name Az.Resources -Force +``` + +
+
+ +## Atomic Test #7 - Azure - adding service principal to Azure role in subscription +The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor may be +interested primarily in highly privileged roles, e.g. Owner, Contributor. +By default, the role Reader is assigned to service principal in this test. + +New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group. + +The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write +(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All +and Microsoft Graph Directory.Read.All permissions. + +Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs. + +**Supported Platforms:** iaas:azure + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Azure AD username | String | jonh@contoso.com| +| password | Azure AD password | String | p4sswd| +| service_principal_name | Name of the targeted service principal | String | SuperSP| +| role_name | Name of the targeted role | String | Reader| +| subscription | Name of the targed subscription | String | Azure subscription 1| + + + +#### Attack Commands: Run with `powershell`! + +```powershell +Import-Module -Name Az.Resources + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzAccount -Credential $Credential + + $sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"} + if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } + $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} + if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } + $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription + Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)" +``` + +#### Cleanup Commands: +```powershell +Import-Module -Name AzureAD -ErrorAction Ignore + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzAccount -Credential $Credential -ErrorAction Ignore + + $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + if ($user -eq $null) { Write-Warning "User not found"; exit } + $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} + if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } + $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription + Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)" +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Az.Resources module must be installed. +##### Check Prereq Commands: +```powershell +try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name Az.Resources -Force +``` + +

diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml index 8d72ceb3..474cef51 100644 --- a/atomics/T1098/T1098.yaml +++ b/atomics/T1098/T1098.yaml @@ -128,4 +128,290 @@ atomic_tests: aws iam delete-group --group-name #{username} name: sh +- name: Azure - adding user to Azure AD role + auto_generated_guid: + description: | + The adversarie want to add user to some Azure AD role. Threat actor + may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, + Privileged authentication administrator (this role can reset Global Administrator password!). + By default, the role Global Reader is assigned to service principal in this test. + + The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD. + Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type. + supported_platforms: + - azure-ad + input_arguments: + username: + description: Azure AD username + type: String + default: jonh@contoso.com + password: + description: Azure AD password + type: String + default: p4sswd + user_principal_name: + description: Name of the targeted user (user principal) + type: String + default: SuperUser + role_name: + description: Name of the targed Azure AD role + type: String + default: Global Reader + dependencies: + - description: | + AzureAD module must be installed. + prereq_command: | + try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} + get_prereq_command: | + Install-Module -Name AzureAD -Force + executor: + command: | + Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential + + $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + if ($user -eq $null) { Write-Warning "User not found"; exit } + $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId + Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role" + cleanup_command: | + Import-Module -Name AzureAD -ErrorAction Ignore + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential -ErrorAction Ignore + + $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + if ($user -eq $null) { Write-Warning "User not found"; exit } + $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId + Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role" + name: powershell + elevation_required: false + +- name: Azure - adding service principal to Azure AD role + auto_generated_guid: + description: | + The adversarie want to add service principal to some Azure AD role. Threat actor + may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, + Privileged authentication administrator (this role can reset Global Administrator password!). + By default, the role Global Reader is assigned to service principal in this test. + + The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD. + + Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type. + supported_platforms: + - azure-ad + input_arguments: + username: + description: Azure AD username + type: String + default: jonh@contoso.com + password: + description: Azure AD password + type: String + default: p4sswd + service_principal_name: + description: Name of the service principal + type: String + default: SuperSP + role_name: + description: Name of the targed Azure AD role + type: String + default: Global Reader + dependencies: + - description: | + AzureAD module must be installed. + prereq_command: | + try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} + get_prereq_command: | + Install-Module -Name AzureAD -Force + executor: + command: | + Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential + + $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"} + if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } + $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId + Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)" + cleanup_command: | + Import-Module -Name AzureAD -ErrorAction Ignore + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential -ErrorAction Ignore + + $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"} + if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } + $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId + Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role" + name: powershell + elevation_required: false + +- name: Azure - adding user to Azure role in subscription + auto_generated_guid: + description: | + The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor + may be interested primarily in highly privileged roles, e.g. Owner, Contributor. + By default, the role Reader is assigned to user in this test. + + New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group. + + The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write + (e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All + and Microsoft Graph Directory.Read.All permissions. + + Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs. + supported_platforms: + - iaas:azure + input_arguments: + username: + description: Azure AD username + type: String + default: jonh@contoso.com + password: + description: Azure AD password + type: String + default: p4sswd + user_principal_name: + description: Name of the targeted user (user principal) + type: String + default: SuperUser + role_name: + description: Name of the targed Azure role + type: String + default: Reader + subscription: + description: Name of the targed subscription + type: String + default: Azure subscription 1 + dependencies: + - description: | + Az.Resources module must be installed. + prereq_command: | + try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} + get_prereq_command: | + Install-Module -Name Az.Resources -Force + executor: + command: | + Import-Module -Name Az.Resources + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzAccount -Credential $Credential + + $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + if ($user -eq $null) { Write-Warning "User not found"; exit } + $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} + if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } + $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription + Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)" + cleanup_command: | + Import-Module -Name AzureAD -ErrorAction Ignore + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzAccount -Credential $Credential -ErrorAction Ignore + + $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"} + if ($user -eq $null) { Write-Warning "User not found"; exit } + $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} + if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } + $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription + Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)" + name: powershell + elevation_required: false + +- name: Azure - adding service principal to Azure role in subscription + auto_generated_guid: + description: | + The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor + may be interested primarily in highly privileged roles, e.g. Owner, Contributor. + By default, the role Reader is assigned to service principal in this test. + + New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group. + + The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write + (e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All + and Microsoft Graph Directory.Read.All permissions. + + Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs. + supported_platforms: + - iaas:azure + input_arguments: + username: + description: Azure AD username + type: String + default: jonh@contoso.com + password: + description: Azure AD password + type: String + default: p4sswd + service_principal_name: + description: Name of the service principal + type: String + default: SuperSP + role_name: + description: Name of the targed Azure role + type: String + default: Reader + subscription: + description: Name of the targed subscription + type: String + default: Azure subscription 1 + dependencies: + - description: | + Az.Resources module must be installed. + prereq_command: | + try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} + get_prereq_command: | + Install-Module -Name Az.Resources -Force + executor: + command: | + Import-Module -Name Az.Resources + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzAccount -Credential $Credential + + $sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"} + if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } + $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} + if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } + $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription + Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)" + cleanup_command: | + Import-Module -Name AzureAD -ErrorAction Ignore + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzAccount -Credential $Credential -ErrorAction Ignore + + $sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"} + if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } + $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} + if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } + $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"} + if ($role -eq $null) { Write-Warning "Role not found"; exit } + + Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription + Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)" + name: powershell + elevation_required: false From 45a06e42db98d312930aa148b1bd9b5627b409ad Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Sun, 30 Jan 2022 23:17:00 +0100 Subject: [PATCH 2/5] Adding new atomics to the list --- atomics/T1098/T1098.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index 8bd36022..c3038855 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -10,6 +10,14 @@ - [Atomic Test #3 - AWS - Create a group and add a user to that group](#atomic-test-3---aws---create-a-group-and-add-a-user-to-that-group) +- [Atomic Test #4 - Azure - adding user to Azure AD role](#atomic-test-4---azure---adding-user-to-azure-ad-role) + +- [Atomic Test #5 - Azure - adding service principal to Azure AD role](#atomic-test-5---azure---adding-service-principal-to-azure-ad-role) + +- [Atomic Test #6 - Azure - adding user to Azure role in subscription](#atomic-test-6---azure---adding-user-to-azure-role) + +- [Atomic Test #7 - AWS - Create a group and add a user to that group](#atomic-test-7---azure---adding-service-principal-to-azure-role) +
From 65560d25729ef0608fd679af80bd7eb714bd2754 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Sun, 30 Jan 2022 23:18:31 +0100 Subject: [PATCH 3/5] correcting the name of the test #7 --- atomics/T1098/T1098.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index c3038855..8828f46a 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -16,7 +16,7 @@ - [Atomic Test #6 - Azure - adding user to Azure role in subscription](#atomic-test-6---azure---adding-user-to-azure-role) -- [Atomic Test #7 - AWS - Create a group and add a user to that group](#atomic-test-7---azure---adding-service-principal-to-azure-role) +- [Atomic Test #7 - Azure - adding service principal to Azure role in subscription](#atomic-test-7---azure---adding-service-principal-to-azure-role)
From bb9e9f37964e821b050993fc4e76e741de8dc9c2 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Sun, 30 Jan 2022 23:21:19 +0100 Subject: [PATCH 4/5] again...correcting list --- atomics/T1098/T1098.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index 8828f46a..08ccbe36 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -14,9 +14,9 @@ - [Atomic Test #5 - Azure - adding service principal to Azure AD role](#atomic-test-5---azure---adding-service-principal-to-azure-ad-role) -- [Atomic Test #6 - Azure - adding user to Azure role in subscription](#atomic-test-6---azure---adding-user-to-azure-role) +- [Atomic Test #6 - Azure - adding user to Azure role in subscription](#atomic-test-6---azure---adding-user-to-azure-role-in-subscription) -- [Atomic Test #7 - Azure - adding service principal to Azure role in subscription](#atomic-test-7---azure---adding-service-principal-to-azure-role) +- [Atomic Test #7 - Azure - adding service principal to Azure role in subscription](#atomic-test-7---azure---adding-service-principal-to-azure-role-in-subscription)
From 901633f87361fdd7cefa437fe531e3a4d04bf7a3 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Mon, 31 Jan 2022 00:54:57 +0100 Subject: [PATCH 5/5] Removing auto_generated_guid --- atomics/T1098/T1098.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml index 474cef51..b615e766 100644 --- a/atomics/T1098/T1098.yaml +++ b/atomics/T1098/T1098.yaml @@ -129,7 +129,6 @@ atomic_tests: name: sh - name: Azure - adding user to Azure AD role - auto_generated_guid: description: | The adversarie want to add user to some Azure AD role. Threat actor may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, @@ -195,7 +194,6 @@ atomic_tests: elevation_required: false - name: Azure - adding service principal to Azure AD role - auto_generated_guid: description: | The adversarie want to add service principal to some Azure AD role. Threat actor may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, @@ -261,7 +259,6 @@ atomic_tests: elevation_required: false - name: Azure - adding user to Azure role in subscription - auto_generated_guid: description: | The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor may be interested primarily in highly privileged roles, e.g. Owner, Contributor. @@ -339,7 +336,6 @@ atomic_tests: elevation_required: false - name: Azure - adding service principal to Azure role in subscription - auto_generated_guid: description: | The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor may be interested primarily in highly privileged roles, e.g. Owner, Contributor.