Update T1078.004.yaml
updated "Azure Persistence Automation Runbook Created or Modified" scenario
This commit is contained in:
sulakshan-kumar
@@ -1,4 +1,3 @@
|
||||
---
|
||||
attack_technique: T1078.004
|
||||
display_name: 'Valid Accounts: Cloud Accounts'
|
||||
|
||||
@@ -7,36 +6,33 @@ atomic_tests:
|
||||
auto_generated_guid: 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e
|
||||
description: |
|
||||
GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud.
|
||||
|
||||
supported_platforms:
|
||||
- google-workspace
|
||||
- windows
|
||||
- linux
|
||||
- macos
|
||||
- google-workspace
|
||||
- iaas:gcp
|
||||
|
||||
input_arguments:
|
||||
project-id:
|
||||
description: ID of the project, you want to create service account as well as service account key for
|
||||
type: String
|
||||
type: string
|
||||
default: art-project-1
|
||||
|
||||
service-account-name:
|
||||
description: Name of the service account
|
||||
type: String
|
||||
type: string
|
||||
default: gcp-art-service-account-1
|
||||
|
||||
service-account-email:
|
||||
description: Email of the service account
|
||||
type: String
|
||||
type: string
|
||||
default: gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com
|
||||
|
||||
output-key-file:
|
||||
description: Email of the service account
|
||||
type: String
|
||||
type: string
|
||||
default: gcp-art-service-account-1.json
|
||||
|
||||
executor:
|
||||
name: gcloud
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: |
|
||||
gcloud auth login --no-launch-browser
|
||||
@@ -45,17 +41,16 @@ atomic_tests:
|
||||
gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
|
||||
cleanup_command: |
|
||||
gcloud iam service-accounts delete #{service-account-email} --quiet
|
||||
|
||||
dependency_executor_name: gcloud
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: |
|
||||
Requires gcloud
|
||||
prereq_command: |
|
||||
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
|
||||
- description: |
|
||||
Requires gcloud
|
||||
prereq_command: |
|
||||
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
|
||||
- name: Azure Persistence Automation Runbook Created or Modified
|
||||
auto_generated_guid: e4c7f493-ac28-40c4-9ef8-bfbc31f35850
|
||||
auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
|
||||
description: |
|
||||
Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
|
||||
Automation runbook to execute malicious code and maintain persistence in their target's environment.
|
||||
|
||||
Reference in New Issue
Block a user