security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2025-06-26 18:40:27 +00:00
parent 8bf3f4d377
commit 70921eb1bb
10 changed files with 160 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1550","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.001","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.001/T1550.001.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1550","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.001","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.001/T1550.001.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/iaas-index.csv
+4 -4
View File
@@ -25,7 +25,8 @@ discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Clou
discovery,T1580,Cloud Infrastructure Discovery,2,AWS - EC2 Security Group Enumeration,99b38f24-5acc-4aa3-85e5-b7f97a5d37ac,command_prompt
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
discovery,T1619,Cloud Storage Object Discovery,2,Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI,070322a4-2c60-4c50-8ffb-c450a34fe7bf,powershell
discovery,T1619,Cloud Storage Object Discovery,3,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
discovery,T1619,Cloud Storage Object Discovery,3,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
discovery,T1619,Cloud Storage Object Discovery,4,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
discovery,T1201,Password Policy Discovery,12,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
discovery,T1526,Cloud Service Discovery,2,AWS - Enumerate common cloud services,aa8b9bcc-46fa-4a59-9237-73c7b93a980c,powershell
@@ -47,9 +48,8 @@ privilege-escalation,T1098,Account Manipulation,17,GCP - Delete Service Account
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
collection,T1530,Data from Cloud Storage Object,1,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
collection,T1530,Data from Cloud Storage Object,2,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
collection,T1530,Data from Cloud Storage Object,3,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
collection,T1530,Data from Cloud Storage Object,1,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
collection,T1530,Data from Cloud Storage Object,2,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
25 discovery T1580 Cloud Infrastructure Discovery 2 AWS - EC2 Security Group Enumeration 99b38f24-5acc-4aa3-85e5-b7f97a5d37ac command_prompt
26 discovery T1619 Cloud Storage Object Discovery 1 AWS S3 Enumeration 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 sh
27 discovery T1619 Cloud Storage Object Discovery 2 Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI 070322a4-2c60-4c50-8ffb-c450a34fe7bf powershell
28 discovery T1619 Cloud Storage Object Discovery 3 Azure - Enumerate Azure Blobs with MicroBurst Azure - Scan for Anonymous Access to Azure Storage (Powershell) 3dab4bcc-667f-4459-aea7-4162dd2d6590 146af1f1-b74e-4aa7-9895-505eb559b4b0 powershell
29 discovery T1619 Cloud Storage Object Discovery 4 Azure - Enumerate Azure Blobs with MicroBurst 3dab4bcc-667f-4459-aea7-4162dd2d6590 powershell
30 discovery T1201 Password Policy Discovery 12 Examine AWS Password Policy 15330820-d405-450b-bd08-16b5be5be9f4 sh
31 discovery T1526 Cloud Service Discovery 1 Azure - Dump Subscription Data with MicroBurst 1e40bb1d-195e-401e-a86b-c192f55e005c powershell
32 discovery T1526 Cloud Service Discovery 2 AWS - Enumerate common cloud services aa8b9bcc-46fa-4a59-9237-73c7b93a980c powershell
48 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
49 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
50 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 3 GCP - Create Custom IAM Role 3a159042-69e6-4398-9a69-3308a4841c85 sh
51 collection T1530 Data from Cloud Storage Object 1 Azure - Scan for Anonymous Access to Azure Storage (Powershell) AWS - Scan for Anonymous Access to S3 146af1f1-b74e-4aa7-9895-505eb559b4b0 979356b9-b588-4e49-bba4-c35517c484f5 powershell sh
52 collection T1530 Data from Cloud Storage Object 2 AWS - Scan for Anonymous Access to S3 Azure - Dump Azure Storage Account Objects via Azure CLI 979356b9-b588-4e49-bba4-c35517c484f5 67374845-b4c8-4204-adcc-9b217b65d4f1 sh powershell
collection T1530 Data from Cloud Storage Object 3 Azure - Dump Azure Storage Account Objects via Azure CLI 67374845-b4c8-4204-adcc-9b217b65d4f1 powershell
53 initial-access T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
54 initial-access T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
55 initial-access T1078.004 Valid Accounts: Cloud Accounts 3 GCP - Create Custom IAM Role 3a159042-69e6-4398-9a69-3308a4841c85 sh
atomics/Indexes/Indexes-CSV/index.csv
+4 -4
View File
@@ -1568,9 +1568,8 @@ collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShe
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh
collection,T1530,Data from Cloud Storage Object,1,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
collection,T1530,Data from Cloud Storage Object,2,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
collection,T1530,Data from Cloud Storage Object,3,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
collection,T1530,Data from Cloud Storage Object,1,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
collection,T1530,Data from Cloud Storage Object,2,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
collection,T1005,Data from Local System,1,Search files of interest and save them to a single zip file (Windows),d3d9af44-b8ad-4375-8b0a-4bff4b7e419c,powershell
collection,T1005,Data from Local System,2,Find and dump sqlite databases (Linux),00cbb875-7ae4-4cf1-b638-e543fd825300,bash
collection,T1005,Data from Local System,3,Copy Apple Notes database files using AppleScript,cfb6d400-a269-4c06-a347-6d88d584d5f7,sh
@@ -2026,7 +2025,8 @@ discovery,T1049,System Network Connections Discovery,3,"System Network Connectio
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
discovery,T1619,Cloud Storage Object Discovery,2,Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI,070322a4-2c60-4c50-8ffb-c450a34fe7bf,powershell
discovery,T1619,Cloud Storage Object Discovery,3,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
discovery,T1619,Cloud Storage Object Discovery,3,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
discovery,T1619,Cloud Storage Object Discovery,4,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1568 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
1569 collection T1115 Clipboard Data 4 Collect Clipboard Data via VBA 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 powershell
1570 collection T1115 Clipboard Data 5 Add or copy content to clipboard with xClip ee363e53-b083-4230-aff3-f8d955f2d5bb sh
1571 collection T1530 Data from Cloud Storage Object 1 Azure - Scan for Anonymous Access to Azure Storage (Powershell) AWS - Scan for Anonymous Access to S3 146af1f1-b74e-4aa7-9895-505eb559b4b0 979356b9-b588-4e49-bba4-c35517c484f5 powershell sh
1572 collection T1530 Data from Cloud Storage Object 2 AWS - Scan for Anonymous Access to S3 Azure - Dump Azure Storage Account Objects via Azure CLI 979356b9-b588-4e49-bba4-c35517c484f5 67374845-b4c8-4204-adcc-9b217b65d4f1 sh powershell
collection T1530 Data from Cloud Storage Object 3 Azure - Dump Azure Storage Account Objects via Azure CLI 67374845-b4c8-4204-adcc-9b217b65d4f1 powershell
1573 collection T1005 Data from Local System 1 Search files of interest and save them to a single zip file (Windows) d3d9af44-b8ad-4375-8b0a-4bff4b7e419c powershell
1574 collection T1005 Data from Local System 2 Find and dump sqlite databases (Linux) 00cbb875-7ae4-4cf1-b638-e543fd825300 bash
1575 collection T1005 Data from Local System 3 Copy Apple Notes database files using AppleScript cfb6d400-a269-4c06-a347-6d88d584d5f7 sh
2025 discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
2026 discovery T1619 Cloud Storage Object Discovery 1 AWS S3 Enumeration 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 sh
2027 discovery T1619 Cloud Storage Object Discovery 2 Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI 070322a4-2c60-4c50-8ffb-c450a34fe7bf powershell
2028 discovery T1619 Cloud Storage Object Discovery 3 Azure - Enumerate Azure Blobs with MicroBurst Azure - Scan for Anonymous Access to Azure Storage (Powershell) 3dab4bcc-667f-4459-aea7-4162dd2d6590 146af1f1-b74e-4aa7-9895-505eb559b4b0 powershell
2029 discovery T1619 Cloud Storage Object Discovery 4 Azure - Enumerate Azure Blobs with MicroBurst 3dab4bcc-667f-4459-aea7-4162dd2d6590 powershell
2030 discovery T1654 Log Enumeration 1 Get-EventLog To Enumerate Windows Security Log a9030b20-dd4b-4405-875e-3462c6078fdc powershell
2031 discovery T1654 Log Enumeration 2 Enumerate Windows Security Log via WevtUtil fef0ace1-3550-4bf1-a075-9fea55a778dd command_prompt
2032 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
atomics/Indexes/Indexes-Markdown/index.md
+4 -4
View File
@@ -2126,9 +2126,8 @@
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- Atomic Test #5: Add or copy content to clipboard with xClip [linux]
- [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
- Atomic Test #1: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
- Atomic Test #2: AWS - Scan for Anonymous Access to S3 [iaas:aws]
- Atomic Test #3: Azure - Dump Azure Storage Account Objects via Azure CLI [iaas:azure]
- Atomic Test #1: AWS - Scan for Anonymous Access to S3 [iaas:aws]
- Atomic Test #2: Azure - Dump Azure Storage Account Objects via Azure CLI [iaas:azure]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1005 Data from Local System](../../T1005/T1005.md)
- Atomic Test #1: Search files of interest and save them to a single zip file (Windows) [windows]
@@ -2735,7 +2734,8 @@
- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
- Atomic Test #1: AWS S3 Enumeration [iaas:aws]
- Atomic Test #2: Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI [iaas:azure]
- Atomic Test #3: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
- Atomic Test #3: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
- Atomic Test #4: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
- [T1654 Log Enumeration](../../T1654/T1654.md)
- Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
- Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
atomics/Indexes/iaas_azure-index.yaml
+43 -43
View File
@@ -41839,48 +41839,6 @@ collection:
- 'Cloud Storage: Cloud Storage Access'
identifier: T1530
atomic_tests:
- name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
description: "Upon successful execution, this test will test for anonymous access
to Azure storage containers by invoking a web request and outputting the results
to a file. \nThe corresponding response could then be interpreted to determine
whether or not the resource/container exists, as well as other information.
\nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
\ \n"
supported_platforms:
- iaas:azure
input_arguments:
base_name:
description: Azure storage account name to test
type: string
default: T1530Test2
output_file:
description: File to output results to
type: string
default: "$env:temp\\T1530Test2.txt"
container_name:
description: Container name to search for (optional)
type: string
default:
blob_name:
description: Blob name to search for (optional)
type: string
default:
executor:
command: |
try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
catch [system.net.webexception]
{if($_.Exception.Response -ne $null)
{$Response = $_.Exception.Response.GetResponseStream()
$ReadResponse = New-Object System.IO.StreamReader($Response)
$ReadResponse.BaseStream.Position = 0
$responseBody = $ReadResponse.ReadToEnd()}
else {$responseBody = "The storage account could not be anonymously accessed."}}
"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
'
name: powershell
- name: Azure - Dump Azure Storage Account Objects via Azure CLI
auto_generated_guid: 67374845-b4c8-4204-adcc-9b217b65d4f1
description: |-
@@ -53015,6 +52973,48 @@ discovery:
Write-Output "Removed #{output_file}"
name: powershell
elevation_required: false
- name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
description: "Upon successful execution, this test will test for anonymous access
to Azure storage containers by invoking a web request and outputting the results
to a file. \nThe corresponding response could then be interpreted to determine
whether or not the resource/container exists, as well as other information.
\nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
\ \n"
supported_platforms:
- iaas:azure
input_arguments:
base_name:
description: Azure storage account name to test
type: string
default: T1619Test2
output_file:
description: File to output results to
type: string
default: "$env:temp\\T1619Test2.txt"
container_name:
description: Container name to search for (optional)
type: string
default:
blob_name:
description: Blob name to search for (optional)
type: string
default:
executor:
command: |
try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
catch [system.net.webexception]
{if($_.Exception.Response -ne $null)
{$Response = $_.Exception.Response.GetResponseStream()
$ReadResponse = New-Object System.IO.StreamReader($Response)
$ReadResponse.BaseStream.Position = 0
$responseBody = $ReadResponse.ReadToEnd()}
else {$responseBody = "The storage account could not be anonymously accessed."}}
"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
'
name: powershell
- name: Azure - Enumerate Azure Blobs with MicroBurst
auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
description: "Upon successful execution, this test will utilize a wordlist to
@@ -53031,7 +53031,7 @@ discovery:
output_file:
description: File to output results to
type: string
default: "$env:temp\\T1530Test1.txt"
default: "$env:temp\\T1619Test1.txt"
wordlist:
description: File path to keywords for search permutations
type: string
atomics/Indexes/index.yaml
+43 -43
View File
@@ -86674,48 +86674,6 @@ collection:
- 'Cloud Storage: Cloud Storage Access'
identifier: T1530
atomic_tests:
- name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
description: "Upon successful execution, this test will test for anonymous access
to Azure storage containers by invoking a web request and outputting the results
to a file. \nThe corresponding response could then be interpreted to determine
whether or not the resource/container exists, as well as other information.
\nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
\ \n"
supported_platforms:
- iaas:azure
input_arguments:
base_name:
description: Azure storage account name to test
type: string
default: T1530Test2
output_file:
description: File to output results to
type: string
default: "$env:temp\\T1530Test2.txt"
container_name:
description: Container name to search for (optional)
type: string
default:
blob_name:
description: Blob name to search for (optional)
type: string
default:
executor:
command: |
try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
catch [system.net.webexception]
{if($_.Exception.Response -ne $null)
{$Response = $_.Exception.Response.GetResponseStream()
$ReadResponse = New-Object System.IO.StreamReader($Response)
$ReadResponse.BaseStream.Position = 0
$responseBody = $ReadResponse.ReadToEnd()}
else {$responseBody = "The storage account could not be anonymously accessed."}}
"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
'
name: powershell
- name: AWS - Scan for Anonymous Access to S3
auto_generated_guid: 979356b9-b588-4e49-bba4-c35517c484f5
description: "Upon successful execution, this test will test for anonymous access
@@ -110061,6 +110019,48 @@ discovery:
Write-Output "Removed #{output_file}"
name: powershell
elevation_required: false
- name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
description: "Upon successful execution, this test will test for anonymous access
to Azure storage containers by invoking a web request and outputting the results
to a file. \nThe corresponding response could then be interpreted to determine
whether or not the resource/container exists, as well as other information.
\nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
\ \n"
supported_platforms:
- iaas:azure
input_arguments:
base_name:
description: Azure storage account name to test
type: string
default: T1619Test2
output_file:
description: File to output results to
type: string
default: "$env:temp\\T1619Test2.txt"
container_name:
description: Container name to search for (optional)
type: string
default:
blob_name:
description: Blob name to search for (optional)
type: string
default:
executor:
command: |
try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
catch [system.net.webexception]
{if($_.Exception.Response -ne $null)
{$Response = $_.Exception.Response.GetResponseStream()
$ReadResponse = New-Object System.IO.StreamReader($Response)
$ReadResponse.BaseStream.Position = 0
$responseBody = $ReadResponse.ReadToEnd()}
else {$responseBody = "The storage account could not be anonymously accessed."}}
"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
'
name: powershell
- name: Azure - Enumerate Azure Blobs with MicroBurst
auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
description: "Upon successful execution, this test will utilize a wordlist to
@@ -110077,7 +110077,7 @@ discovery:
output_file:
description: File to output results to
type: string
default: "$env:temp\\T1530Test1.txt"
default: "$env:temp\\T1619Test1.txt"
wordlist:
description: File path to keywords for search permutations
type: string
atomics/T1530/T1530.md
+4 -56
View File
@@ -18,66 +18,14 @@ Adversaries may also obtain then abuse leaked credentials from source repositori
## Atomic Tests
- [Atomic Test #1 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)](#atomic-test-1---azure---scan-for-anonymous-access-to-azure-storage-powershell)
- [Atomic Test #1 - AWS - Scan for Anonymous Access to S3](#atomic-test-1---aws---scan-for-anonymous-access-to-s3)
- [Atomic Test #2 - AWS - Scan for Anonymous Access to S3](#atomic-test-2---aws---scan-for-anonymous-access-to-s3)
- [Atomic Test #3 - Azure - Dump Azure Storage Account Objects via Azure CLI](#atomic-test-3---azure---dump-azure-storage-account-objects-via-azure-cli)
- [Atomic Test #2 - Azure - Dump Azure Storage Account Objects via Azure CLI](#atomic-test-2---azure---dump-azure-storage-account-objects-via-azure-cli)
<br/>
## Atomic Test #1 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)
Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file.
The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information.
See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
**Supported Platforms:** Iaas:azure
**auto_generated_guid:** 146af1f1-b74e-4aa7-9895-505eb559b4b0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| base_name | Azure storage account name to test | string | T1530Test2|
| output_file | File to output results to | string | $env:temp&#92;T1530Test2.txt|
| container_name | Container name to search for (optional) | string | |
| blob_name | Blob name to search for (optional) | string | |
#### Attack Commands: Run with `powershell`!
```powershell
try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
catch [system.net.webexception]
{if($_.Exception.Response -ne $null)
{$Response = $_.Exception.Response.GetResponseStream()
$ReadResponse = New-Object System.IO.StreamReader($Response)
$ReadResponse.BaseStream.Position = 0
$responseBody = $ReadResponse.ReadToEnd()}
else {$responseBody = "The storage account could not be anonymously accessed."}}
"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
```
#### Cleanup Commands:
```powershell
remove-item #{output_file} -erroraction silentlycontinue
```
<br/>
<br/>
## Atomic Test #2 - AWS - Scan for Anonymous Access to S3
## Atomic Test #1 - AWS - Scan for Anonymous Access to S3
Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder.
**Supported Platforms:** Iaas:aws
@@ -131,7 +79,7 @@ echo Please install the aws-cli and configure your AWS default profile using: aw
<br/>
<br/>
## Atomic Test #3 - Azure - Dump Azure Storage Account Objects via Azure CLI
## Atomic Test #2 - Azure - Dump Azure Storage Account Objects via Azure CLI
This test dumps the content of the storage account objects present in the file defined in file_shares_csv_file_path. Note that this file is created in the atomic test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". When created manually, it must contain the columns "ResourceGroup","StorageAccountName", "FileShareName", "ContainerName", "BlobName".
Requirements:
atomics/T1619/T1619.md
+55 -3
View File
@@ -14,7 +14,9 @@ Cloud service providers offer APIs allowing users to enumerate objects stored wi
- [Atomic Test #2 - Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI](#atomic-test-2---azure---enumerate-storage-account-objects-via-shared-key-authorization-using-azure-cli)
- [Atomic Test #3 - Azure - Enumerate Azure Blobs with MicroBurst](#atomic-test-3---azure---enumerate-azure-blobs-with-microburst)
- [Atomic Test #3 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)](#atomic-test-3---azure---scan-for-anonymous-access-to-azure-storage-powershell)
- [Atomic Test #4 - Azure - Enumerate Azure Blobs with MicroBurst](#atomic-test-4---azure---enumerate-azure-blobs-with-microburst)
<br/>
@@ -223,7 +225,57 @@ Install-Module -Name Az -Force
<br/>
<br/>
## Atomic Test #3 - Azure - Enumerate Azure Blobs with MicroBurst
## Atomic Test #3 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)
Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file.
The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information.
See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
**Supported Platforms:** Iaas:azure
**auto_generated_guid:** 146af1f1-b74e-4aa7-9895-505eb559b4b0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| base_name | Azure storage account name to test | string | T1619Test2|
| output_file | File to output results to | string | $env:temp&#92;T1619Test2.txt|
| container_name | Container name to search for (optional) | string | |
| blob_name | Blob name to search for (optional) | string | |
#### Attack Commands: Run with `powershell`!
```powershell
try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
catch [system.net.webexception]
{if($_.Exception.Response -ne $null)
{$Response = $_.Exception.Response.GetResponseStream()
$ReadResponse = New-Object System.IO.StreamReader($Response)
$ReadResponse.BaseStream.Position = 0
$responseBody = $ReadResponse.ReadToEnd()}
else {$responseBody = "The storage account could not be anonymously accessed."}}
"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
```
#### Cleanup Commands:
```powershell
remove-item #{output_file} -erroraction silentlycontinue
```
<br/>
<br/>
## Atomic Test #4 - Azure - Enumerate Azure Blobs with MicroBurst
Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account.
See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ .
@@ -240,7 +292,7 @@ See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| base | Azure blob keyword to enumerate (Example, storage account name) | string | secure|
| output_file | File to output results to | string | $env:temp&#92;T1530Test1.txt|
| output_file | File to output results to | string | $env:temp&#92;T1619Test1.txt|
| wordlist | File path to keywords for search permutations | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;permutations.txt|