Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}
+{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json

@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}
+{"version":"4.3","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]}]}

atomics/Indexes/Indexes-CSV/index.csv

@@ -593,6 +593,10 @@ persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
+persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
 persistence,T1137.006,Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -202,6 +202,10 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
+persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
 persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -948,6 +948,10 @@
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
   - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
+  - Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
+  - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
+  - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
+  - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
 - T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1137.006 Add-ins](../../T1137.006/T1137.006.md)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -458,6 +458,10 @@
 # persistence
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
+  - Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
+  - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
+  - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
+  - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)

atomics/Indexes/index.yaml

@@ -40229,6 +40229,300 @@ persistence:
           aws iam remove-user-from-group --user-name #{username} --group-name #{username}
           aws iam delete-group --group-name #{username}
         name: sh
+    - name: Azure - adding user to Azure AD role
+      auto_generated_guid: 0e65ae27-5385-46b4-98ac-607a8ee82261
+      description: "The adversarie want to add user to some Azure AD role. Threat
+        actor \nmay be interested primarily in highly privileged roles, e.g. Global
+        Administrator, Application Administrator, \nPrivileged authentication administrator
+        (this role can reset Global Administrator password!).\nBy default, the role
+        Global Reader is assigned to service principal in this test.\n\nThe account
+        you use to run the PowerShell command should have Privileged Role Administrator
+        or Global Administrator role in your Azure AD.\n\nDetection hint - check Activity
+        \"Add member to role\" in Azure AD Audit Logs. In targer you will also see
+        User as a type.\n"
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        user_principal_name:
+          description: Name of the targeted user (user principal)
+          type: String
+          default: SuperUser
+        role_name:
+          description: Name of the targed Azure AD role
+          type: String
+          default: Global Reader
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential
+
+          $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          if ($user -eq $null) { Write-Warning "User not found"; exit }
+          $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+          Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
+          Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
+        cleanup_command: |
+          Import-Module -Name AzureAD -ErrorAction Ignore
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+          $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          if ($user -eq $null) { Write-Warning "User not found"; exit }
+          $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+          Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
+          Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
+        name: powershell
+        elevation_required: false
+    - name: Azure - adding service principal to Azure AD role
+      auto_generated_guid: 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
+      description: "The adversarie want to add service principal to some Azure AD
+        role. Threat actor \nmay be interested primarily in highly privileged roles,
+        e.g. Global Administrator, Application Administrator, \nPrivileged authentication
+        administrator (this role can reset Global Administrator password!).\nBy default,
+        the role Global Reader is assigned to service principal in this test.\n\nThe
+        account you use to run the PowerShell command should have Privileged Role
+        Administrator or Global Administrator role in your Azure AD.\n\nDetection
+        hint - check Activity \"Add member to role\" in Azure AD Audit Logs. In targer
+        you will also see Service Principal as a type.\n"
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        service_principal_name:
+          description: Name of the service principal
+          type: String
+          default: SuperSP
+        role_name:
+          description: Name of the targed Azure AD role
+          type: String
+          default: Global Reader
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential
+
+          $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+          if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+          $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+          Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
+          Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
+        cleanup_command: |
+          Import-Module -Name AzureAD -ErrorAction Ignore
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+          $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+          if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+          $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+          Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
+          Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
+        name: powershell
+        elevation_required: false
+    - name: Azure - adding user to Azure role in subscription
+      auto_generated_guid: 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
+      description: "The adversarie want to add user to some Azure role, also called
+        Azure resource role. Threat actor \nmay be interested primarily in highly
+        privileged roles, e.g. Owner, Contributor.\nBy default, the role Reader is
+        assigned to user in this test.\n\nNew-AzRoleAssignment cmdlet could be also
+        use to assign user/service principal to resource, resource group and management
+        group.\n\nThe account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
+        \n(e.g. such as User Access Administrator or Owner) and the Azure Active Directory
+        Graph Directory.Read.All \nand Microsoft Graph Directory.Read.All permissions.\n\nDetection
+        hint - check Operation Name \"Create role assignment\" in subscriptions Activity
+        Logs.\n"
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        user_principal_name:
+          description: Name of the targeted user (user principal)
+          type: String
+          default: SuperUser
+        role_name:
+          description: Name of the targed Azure role
+          type: String
+          default: Reader
+        subscription:
+          description: Name of the targed subscription
+          type: String
+          default: Azure subscription 1
+      dependencies:
+      - description: 'Az.Resources module must be installed.
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name Az.Resources -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name Az.Resources -Force
+
+'
+      executor:
+        command: |
+          Import-Module -Name Az.Resources
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzAccount -Credential $Credential
+
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          if ($user -eq $null) { Write-Warning "User not found"; exit }
+          $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+          if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+          $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+          New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+          Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+        cleanup_command: |
+          Import-Module -Name AzureAD -ErrorAction Ignore
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+
+          $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+          if ($user -eq $null) { Write-Warning "User not found"; exit }
+          $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+          if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+          $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+          if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+          Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+          Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+        name: powershell
+        elevation_required: false
+    - name: Azure - adding service principal to Azure role in subscription
+      auto_generated_guid: c8f4bc29-a151-48da-b3be-4680af56f404
+      description: "The adversarie want to add service principal to some Azure role,
+        also called Azure resource role. Threat actor \nmay be interested primarily
+        in highly privileged roles, e.g. Owner, Contributor.\nBy default, the role
+        Reader is assigned to service principal in this test.\n\nNew-AzRoleAssignment
+        cmdlet could be also use to assign user/service principal to resource, resource
+        group and management group.\n\nThe account you use to run the PowerShell command
+        must have Microsoft.Authorization/roleAssignments/write \n(e.g. such as User
+        Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
+        \nand Microsoft Graph Directory.Read.All permissions.\n\nDetection hint -
+        check Operation Name \"Create role assignment\" in subscriptions Activity
+        Logs.\n"
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        service_principal_name:
+          description: Name of the service principal
+          type: String
+          default: SuperSP
+        role_name:
+          description: Name of the targed Azure role
+          type: String
+          default: Reader
+        subscription:
+          description: Name of the targed subscription
+          type: String
+          default: Azure subscription 1
+      dependencies:
+      - description: 'Az.Resources module must be installed.
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name Az.Resources -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name Az.Resources -Force
+
+'
+      executor:
+        command: "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString
+          -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+          System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+          $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal
+          | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp
+          -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription
+          = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif
+          ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit
+          }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif
+          ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment
+          -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host
+          \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in
+          subscriptions $($subscriptions.Name)\"\n"
+        cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
+          = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential
+          = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
+          \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential -ErrorAction
+          Ignore\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName
+          -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service
+          Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object
+          {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning
+          \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object
+          {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role
+          not found\"; exit }\n\nRemove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId
+          $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal
+          $($sp.DisplayName) was removed from $($role.Name) role in subscriptions
+          $($subscriptions.Name)\"\n"
+        name: powershell
+        elevation_required: false
   T1547.014:
     technique:
       external_references:

atomics/T1098/T1098.md

@@ -204,6 +204,7 @@ echo Please run atomic test T1136.003, before running this atomic test
 
 
 
+<br/>
 <br/>
 
 ## Atomic Test #4 - Azure - adding user to Azure AD role
@@ -211,7 +212,7 @@ The adversarie want to add user to some Azure AD role. Threat actor
 may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
 Privileged authentication administrator (this role can reset Global Administrator password!).
 By default, the role Global Reader is assigned to service principal in this test.
-  
+
 The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
 
 Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
@@ -219,46 +220,52 @@ Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In
 **Supported Platforms:** Azure-ad
 
 
+**auto_generated_guid:** 0e65ae27-5385-46b4-98ac-607a8ee82261
+
+
+
+
+
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Azure AD username | String | jonh@contoso.com|
 | password | Azure AD password | String | p4sswd|
 | user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
-| role_name | Name of the targeted role | String | Global Reader|
-
+| role_name | Name of the targed Azure AD role | String | Global Reader|
 
 
 #### Attack Commands: Run with `powershell`! 
 
+
 ```powershell
 Import-Module -Name AzureAD
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
 
-      $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-      if ($user -eq $null) { Write-Warning "User not found"; exit }
-      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
-      Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
-      Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
+$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
+Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
 ```
 
 #### Cleanup Commands:
 ```powershell
 Import-Module -Name AzureAD -ErrorAction Ignore
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-      if ($user -eq $null) { Write-Warning "User not found"; exit }
-      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
-      
-      Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
-      Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
+$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
+Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
 ```
 
 
@@ -274,59 +281,71 @@ try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit
 Install-Module -Name AzureAD -Force
 ```
 
+
+
+
 <br/>
 <br/>
 
 ## Atomic Test #5 - Azure - adding service principal to Azure AD role
-The adversarie want to add service principal to some Azure AD role. Threat actor may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, Privileged authentication administrator (this role can reset Global Administrator password!).
+The adversarie want to add service principal to some Azure AD role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
+Privileged authentication administrator (this role can reset Global Administrator password!).
 By default, the role Global Reader is assigned to service principal in this test.
-  
+
 The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
 
 Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
+
 **Supported Platforms:** Azure-ad
 
 
+**auto_generated_guid:** 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
+
+
+
+
+
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Azure AD username | String | jonh@contoso.com|
 | password | Azure AD password | String | p4sswd|
-| service_principal_name | Name of the targeted service principal | String | SuperSP|
-| role_name | Name of the targeted role | String | Global Reader|
-
+| service_principal_name | Name of the service principal | String | SuperSP|
+| role_name | Name of the targed Azure AD role | String | Global Reader|
 
 
 #### Attack Commands: Run with `powershell`! 
 
+
 ```powershell
 Import-Module -Name AzureAD
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
 
-      $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
-      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
-      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
-      Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
-      Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
+$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
+Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
 ```
 
 #### Cleanup Commands:
 ```powershell
 Import-Module -Name AzureAD -ErrorAction Ignore
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential -ErrorAction Ignore
 
-      $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
-      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
-      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
-      Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
-      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
+Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
 ```
 
 
@@ -342,23 +361,32 @@ try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit
 Install-Module -Name AzureAD -Force
 ```
 
+
+
+
 <br/>
 <br/>
 
 ## Atomic Test #6 - Azure - adding user to Azure role in subscription
-The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor may be 
-interested primarily in highly privileged roles, e.g. Owner, Contributor.
+The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
 By default, the role Reader is assigned to user in this test.
 
 New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
-  
+
 The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
 (e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
 and Microsoft Graph Directory.Read.All permissions.
 
 Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
 
-**Supported Platforms:** iaas:azure
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
+
+
+
 
 
 #### Inputs:
@@ -367,46 +395,46 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
 | username | Azure AD username | String | jonh@contoso.com|
 | password | Azure AD password | String | p4sswd|
 | user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
-| role_name | Name of the targeted role | String | Reader|
+| role_name | Name of the targed Azure role | String | Reader|
 | subscription | Name of the targed subscription | String | Azure subscription 1|
 
 
-
 #### Attack Commands: Run with `powershell`! 
 
+
 ```powershell
 Import-Module -Name Az.Resources
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzAccount -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-      if ($user -eq $null) { Write-Warning "User not found"; exit }
-      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
-      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
-      New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-      Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
 ```
 
 #### Cleanup Commands:
 ```powershell
 Import-Module -Name AzureAD -ErrorAction Ignore
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-      if ($user -eq $null) { Write-Warning "User not found"; exit }
-      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
-      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
-      Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)"
+Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
 ```
 
 
@@ -422,23 +450,32 @@ try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {
 Install-Module -Name Az.Resources -Force
 ```
 
+
+
+
 <br/>
 <br/>
 
 ## Atomic Test #7 - Azure - adding service principal to Azure role in subscription
-The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor may be 
-interested primarily in highly privileged roles, e.g. Owner, Contributor.
+The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
 By default, the role Reader is assigned to service principal in this test.
 
 New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
-  
+
 The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
 (e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
 and Microsoft Graph Directory.Read.All permissions.
 
 Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
 
-**Supported Platforms:** iaas:azure
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** c8f4bc29-a151-48da-b3be-4680af56f404
+
+
+
 
 
 #### Inputs:
@@ -446,47 +483,47 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
 |------|-------------|------|---------------|
 | username | Azure AD username | String | jonh@contoso.com|
 | password | Azure AD password | String | p4sswd|
-| service_principal_name | Name of the targeted service principal | String | SuperSP|
-| role_name | Name of the targeted role | String | Reader|
+| service_principal_name | Name of the service principal | String | SuperSP|
+| role_name | Name of the targed Azure role | String | Reader|
 | subscription | Name of the targed subscription | String | Azure subscription 1|
 
 
-
 #### Attack Commands: Run with `powershell`! 
 
+
 ```powershell
 Import-Module -Name Az.Resources
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzAccount -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential
 
-      $sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
-      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
-      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
-      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
-      New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-      Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
 ```
 
 #### Cleanup Commands:
 ```powershell
 Import-Module -Name AzureAD -ErrorAction Ignore
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential -ErrorAction Ignore
 
-      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-      if ($user -eq $null) { Write-Warning "User not found"; exit }
-      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
-      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
 
-      Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)"
+Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
 ```
 
 
@@ -502,5 +539,7 @@ try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {
 Install-Module -Name Az.Resources -Force
 ```
 
-<br/>
+
+
+
 <br/>