Generated docs from job=generate-docs branch=master [ci skip]

README.md

@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1696-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1698-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}

atomics/Indexes/Indexes-CSV/iaas-index.csv

@@ -21,6 +21,8 @@ discovery,T1580,Cloud Infrastructure Discovery,2,AWS - EC2 Security Group Enumer
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1201,Password Policy Discovery,12,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
 discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
+discovery,T1526,Cloud Service Discovery,2,AWS - Enumerate common cloud services,aa8b9bcc-46fa-4a59-9237-73c7b93a980c,powershell
+discovery,T1526,Cloud Service Discovery,3,Azure - Enumerate common cloud services,58f57c8f-db14-4e62-a4d3-5aaf556755d7,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh

atomics/Indexes/Indexes-CSV/index.csv

@@ -1960,6 +1960,8 @@ discovery,T1518.001,Software Discovery: Security Software Discovery,9,Security S
 discovery,T1518.001,Software Discovery: Security Software Discovery,10,Security Software Discovery - Windows Firewall Enumeration,9dca5a1d-f78c-4a8d-accb-d6de67cfed6b,powershell
 discovery,T1518.001,Software Discovery: Security Software Discovery,11,Get Windows Defender exclusion settings using WMIC,e31564c8-4c60-40cd-a8f4-9261307e8336,command_prompt
 discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
+discovery,T1526,Cloud Service Discovery,2,AWS - Enumerate common cloud services,aa8b9bcc-46fa-4a59-9237-73c7b93a980c,powershell
+discovery,T1526,Cloud Service Discovery,3,Azure - Enumerate common cloud services,58f57c8f-db14-4e62-a4d3-5aaf556755d7,powershell
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
 discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -2660,6 +2660,8 @@
   - Atomic Test #11: Get Windows Defender exclusion settings using WMIC [windows]
 - [T1526 Cloud Service Discovery](../../T1526/T1526.md)
   - Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
+  - Atomic Test #2: AWS - Enumerate common cloud services [iaas:aws]
+  - Atomic Test #3: Azure - Enumerate common cloud services [iaas:azure]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
   - Atomic Test #1: Remote System Discovery - net [windows]
   - Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]

atomics/Indexes/iaas_aws-index.yaml

@@ -52318,7 +52318,64 @@ discovery:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       identifier: T1526
-    atomic_tests: []
+    atomic_tests:
+    - name: AWS - Enumerate common cloud services
+      auto_generated_guid: aa8b9bcc-46fa-4a59-9237-73c7b93a980c
+      description: 'Upon successful execution, this test will enumerate common resources
+        that are contained within a valid AWS account.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        session_token:
+          description: AWS Session Token
+          type: string
+          default: ''
+        profile:
+          description: AWS profile
+          type: string
+          default: ''
+        regions:
+          description: AWS regions
+          type: string
+          default: us-east-1,us-east-2,us-west-1,us-west-2
+        output_directory:
+          description: Directory to output results to
+          type: string
+          default: "$env:TMPDIR/aws_discovery"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The AWS PowerShell module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder\T1526\src\AWSDiscovery.ps1"
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $regions = "#{regions}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile
+          Get-AWSDiscoveryData -Regions $regions -OutputDirectory "#{output_directory}"
+          Remove-BlankFiles -OutputDirectory "#{output_directory}"
+        name: powershell
   T1018:
     technique:
       modified: '2023-08-14T19:08:59.741Z'

atomics/Indexes/iaas_azure-index.yaml

@@ -52383,6 +52383,58 @@ discovery:
 
           '
         name: powershell
+    - name: Azure - Enumerate common cloud services
+      auto_generated_guid: 58f57c8f-db14-4e62-a4d3-5aaf556755d7
+      description: 'Upon successful execution, this test will enumerate common resources
+        that are contained within a valid Azure subscription.
+
+        '
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        client_id:
+          description: Azure AD client ID
+          type: string
+          default: 
+        client_secret:
+          description: Azure AD client secret
+          type: string
+          default: 
+        tenant_id:
+          description: Azure AD tenant ID
+          type: string
+          default: 
+        cloud:
+          description: Azure cloud environment
+          type: string
+          default: AzureCloud
+        output_directory:
+          description: Directory to output results to
+          type: string
+          default: "$env:TMPDIR/azure_discovery"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Az module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Force
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder\T1526\src\AzureDiscovery.ps1"
+          $client_id = "#{client_id}"
+          $client_secret = "#{client_secret}"
+          $tenant_id = "#{tenant_id}"
+          $environment = "#{cloud}"
+          Set-AzureAuthentication -ClientID $client_id -ClientSecret $client_secret -TenantID $tenant_id -Environment $environment
+          Get-AzureDiscoveryData -OutputDirectory "#{output_directory}" -Environment $environment
+          Remove-BlankFiles -OutputDirectory "#{output_directory}"
+        name: powershell
   T1018:
     technique:
       modified: '2023-08-14T19:08:59.741Z'

atomics/Indexes/index.yaml

@@ -107918,6 +107918,115 @@ discovery:
 
           '
         name: powershell
+    - name: AWS - Enumerate common cloud services
+      auto_generated_guid: aa8b9bcc-46fa-4a59-9237-73c7b93a980c
+      description: 'Upon successful execution, this test will enumerate common resources
+        that are contained within a valid AWS account.
+
+        '
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        access_key:
+          description: AWS Access Key
+          type: string
+          default: ''
+        secret_key:
+          description: AWS Secret Key
+          type: string
+          default: ''
+        session_token:
+          description: AWS Session Token
+          type: string
+          default: ''
+        profile:
+          description: AWS profile
+          type: string
+          default: ''
+        regions:
+          description: AWS regions
+          type: string
+          default: us-east-1,us-east-2,us-west-1,us-west-2
+        output_directory:
+          description: Directory to output results to
+          type: string
+          default: "$env:TMPDIR/aws_discovery"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The AWS PowerShell module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction
+          SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AWSPowerShell -Force
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder\T1526\src\AWSDiscovery.ps1"
+          $access_key = "#{access_key}"
+          $secret_key = "#{secret_key}"
+          $session_token = "#{session_token}"
+          $aws_profile = "#{profile}"
+          $regions = "#{regions}"
+          Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile
+          Get-AWSDiscoveryData -Regions $regions -OutputDirectory "#{output_directory}"
+          Remove-BlankFiles -OutputDirectory "#{output_directory}"
+        name: powershell
+    - name: Azure - Enumerate common cloud services
+      auto_generated_guid: 58f57c8f-db14-4e62-a4d3-5aaf556755d7
+      description: 'Upon successful execution, this test will enumerate common resources
+        that are contained within a valid Azure subscription.
+
+        '
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        client_id:
+          description: Azure AD client ID
+          type: string
+          default: 
+        client_secret:
+          description: Azure AD client secret
+          type: string
+          default: 
+        tenant_id:
+          description: Azure AD tenant ID
+          type: string
+          default: 
+        cloud:
+          description: Azure cloud environment
+          type: string
+          default: AzureCloud
+        output_directory:
+          description: Directory to output results to
+          type: string
+          default: "$env:TMPDIR/azure_discovery"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Az module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Force
+
+          '
+      executor:
+        command: |
+          Import-Module "PathToAtomicsFolder\T1526\src\AzureDiscovery.ps1"
+          $client_id = "#{client_id}"
+          $client_secret = "#{client_secret}"
+          $tenant_id = "#{tenant_id}"
+          $environment = "#{cloud}"
+          Set-AzureAuthentication -ClientID $client_id -ClientSecret $client_secret -TenantID $tenant_id -Environment $environment
+          Get-AzureDiscoveryData -OutputDirectory "#{output_directory}" -Environment $environment
+          Remove-BlankFiles -OutputDirectory "#{output_directory}"
+        name: powershell
   T1018:
     technique:
       modified: '2023-08-14T19:08:59.741Z'

atomics/T1526/T1526.md

@@ -12,6 +12,10 @@ Adversaries may use the information gained to shape follow-on behaviors, such as
 
 - [Atomic Test #1 - Azure - Dump Subscription Data with MicroBurst](#atomic-test-1---azure---dump-subscription-data-with-microburst)
 
+- [Atomic Test #2 - AWS - Enumerate common cloud services](#atomic-test-2---aws---enumerate-common-cloud-services)
+
+- [Atomic Test #3 - Azure - Enumerate common cloud services](#atomic-test-3---azure---enumerate-common-cloud-services)
+
 
 <br/>
 
@@ -80,4 +84,118 @@ Install-Module -Name Az -Force
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - AWS - Enumerate common cloud services
+Upon successful execution, this test will enumerate common resources that are contained within a valid AWS account.
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** aa8b9bcc-46fa-4a59-9237-73c7b93a980c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| access_key | AWS Access Key | string | |
+| secret_key | AWS Secret Key | string | |
+| session_token | AWS Session Token | string | |
+| profile | AWS profile | string | |
+| regions | AWS regions | string | us-east-1,us-east-2,us-west-1,us-west-2|
+| output_directory | Directory to output results to | string | $env:TMPDIR/aws_discovery|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module "PathToAtomicsFolder\T1526\src\AWSDiscovery.ps1"
+$access_key = "#{access_key}"
+$secret_key = "#{secret_key}"
+$session_token = "#{session_token}"
+$aws_profile = "#{profile}"
+$regions = "#{regions}"
+Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile
+Get-AWSDiscoveryData -Regions $regions -OutputDirectory "#{output_directory}"
+Remove-BlankFiles -OutputDirectory "#{output_directory}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AWS PowerShell module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AWSPowerShell -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Azure - Enumerate common cloud services
+Upon successful execution, this test will enumerate common resources that are contained within a valid Azure subscription.
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 58f57c8f-db14-4e62-a4d3-5aaf556755d7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| client_id | Azure AD client ID | string | |
+| client_secret | Azure AD client secret | string | |
+| tenant_id | Azure AD tenant ID | string | |
+| cloud | Azure cloud environment | string | AzureCloud|
+| output_directory | Directory to output results to | string | $env:TMPDIR/azure_discovery|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module "PathToAtomicsFolder\T1526\src\AzureDiscovery.ps1"
+$client_id = "#{client_id}"
+$client_secret = "#{client_secret}"
+$tenant_id = "#{tenant_id}"
+$environment = "#{cloud}"
+Set-AzureAuthentication -ClientID $client_id -ClientSecret $client_secret -TenantID $tenant_id -Environment $environment
+Get-AzureDiscoveryData -OutputDirectory "#{output_directory}" -Environment $environment
+Remove-BlankFiles -OutputDirectory "#{output_directory}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The Az module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az -Force
+```
+
+
+
+
 <br/>

atomics/T1526/T1526.yaml

@@ -52,6 +52,7 @@ atomic_tests:
       remove-item #{output_directory} -recurse -force -erroraction silentlycontinue
     name: powershell
 - name: AWS - Enumerate common cloud services
+  auto_generated_guid: aa8b9bcc-46fa-4a59-9237-73c7b93a980c
   description: |
     Upon successful execution, this test will enumerate common resources that are contained within a valid AWS account.
   supported_platforms:
@@ -102,6 +103,7 @@ atomic_tests:
       Remove-BlankFiles -OutputDirectory "#{output_directory}"
     name: powershell
 - name: Azure - Enumerate common cloud services
+  auto_generated_guid: 58f57c8f-db14-4e62-a4d3-5aaf556755d7
   description: |
     Upon successful execution, this test will enumerate common resources that are contained within a valid Azure subscription.
   supported_platforms:

atomics/used_guids.txt

@@ -1720,3 +1720,5 @@ aa12eb29-2dbb-414e-8b20-33d34af93543
 be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
 acfcd709-0013-4f1e-b9ee-bc1e7bafaaec
 25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47
+aa8b9bcc-46fa-4a59-9237-73c7b93a980c
+58f57c8f-db14-4e62-a4d3-5aaf556755d7