security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into master

Browse Source
This commit is contained in:
Jose Enrique Hernandez
2023-06-08 13:05:21 -04:00
committed by GitHub
parent 765445a51a 4a36531a81
commit 781b1dbf0b
16 changed files with 547 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Office-365)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
{"name":"Atomic Red Team (Office-365)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -447,6 +447,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,5,AWS - CloudTrail
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
447 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 6 AWS - Remove VPC Flow Logs using Stratus 93c150f5-ad7b-4ee3-8992-df06dec2ac79 sh
448 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 7 AWS - CloudWatch Log Group Deletes 89422c87-b57b-4a04-a8ca-802bb9d06121 sh
449 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
450 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 9 Office 365 - Set Audit Bypass For a Mailbox c9a2f6fe-7197-488c-af6d-10c782121ca6 powershell
451 defense-evasion T1564.003 Hide Artifacts: Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
452 defense-evasion T1027.006 HTML Smuggling 1 HTML Smuggling Remote Payload 30cbeda4-08d9-42f1-8685-197fad677734 powershell
453 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
atomics/Indexes/Indexes-CSV/office-365-index.csv
+1
View File
@@ -1,3 +1,4 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
collection,T1114.003,Email Collection: Email Forwarding Rule,1,Office365 - Email Forwarding,3234117e-151d-4254-9150-3d0bac41e38c,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 collection T1114.003 Email Collection: Email Forwarding Rule 1 Office365 - Email Forwarding 3234117e-151d-4254-9150-3d0bac41e38c powershell
3 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 3 Office 365 - Exchange Audit Log Disabled 1ee572f3-056c-4632-a7fc-7e7c42b1543c powershell
4 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 9 Office 365 - Set Audit Bypass For a Mailbox c9a2f6fe-7197-488c-af6d-10c782121ca6 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -626,6 +626,7 @@
- Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos]
- Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
- Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
- Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
- [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/office-365-index.md
+1
View File
@@ -51,6 +51,7 @@
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md)
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
- Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/iaas_azure-index.yaml
+124 -4
View File
@@ -15363,6 +15363,15 @@ defense-evasion:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform.
'
- description: 'Install-Module -Name Az
'
@@ -15373,15 +15382,36 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
'
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'az account show
'
get_prereq_command: "echo Configure your Azure account using: az login. \n"
- description: 'Create dependency resources using terraform
'
prereq_command: 'try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
T1480.001:
technique:
x_mitre_platforms:
@@ -25867,6 +25897,15 @@ privilege-escalation:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform.
'
- description: 'Install-Module -Name Az
'
@@ -25877,15 +25916,36 @@ privilege-escalation:
get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
'
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'az account show
'
get_prereq_command: "echo Configure your Azure account using: az login. \n"
- description: 'Create dependency resources using terraform
'
prereq_command: 'try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
T1053.002:
technique:
x_mitre_platforms:
@@ -42367,6 +42427,15 @@ persistence:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform.
'
- description: 'Install-Module -Name Az
'
@@ -42377,15 +42446,36 @@ persistence:
get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
'
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'az account show
'
get_prereq_command: "echo Configure your Azure account using: az login. \n"
- description: 'Create dependency resources using terraform
'
prereq_command: 'try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
T1053.002:
technique:
x_mitre_platforms:
@@ -67620,6 +67710,15 @@ initial-access:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform.
'
- description: 'Install-Module -Name Az
'
@@ -67630,15 +67729,36 @@ initial-access:
get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
'
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'az account show
'
get_prereq_command: "echo Configure your Azure account using: az login. \n"
- description: 'Create dependency resources using terraform
'
prereq_command: 'try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
T1566.003:
technique:
modified: '2023-03-30T21:01:50.401Z'
atomics/Indexes/index.yaml
+169 -4
View File
@@ -24733,6 +24733,51 @@ defense-evasion:
cleanup_command:
name: sh
elevation_required: false
- name: Office 365 - Set Audit Bypass For a Mailbox
auto_generated_guid: c9a2f6fe-7197-488c-af6d-10c782121ca6
description: |
Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box.
https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default: o365_user_test
password:
description: office-365 password
type: string
default: o365_password_test
target_email:
description: office-365 target_email
type: string
default: o365_email_test
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
'
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: "Install-Module -Name ExchangeOnlineManagement \nImport-Module
ExchangeOnlineManagement\n"
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $true
cleanup_command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $false
Disconnect-ExchangeOnline -Confirm:$false
name: powershell
elevation_required: false
T1564.003:
technique:
x_mitre_platforms:
@@ -28330,6 +28375,15 @@ defense-evasion:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform.
'
- description: 'Install-Module -Name Az
'
@@ -28340,15 +28394,36 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
'
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'az account show
'
get_prereq_command: "echo Configure your Azure account using: az login. \n"
- description: 'Create dependency resources using terraform
'
prereq_command: 'try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
T1480.001:
technique:
x_mitre_platforms:
@@ -44686,6 +44761,15 @@ privilege-escalation:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform.
'
- description: 'Install-Module -Name Az
'
@@ -44696,15 +44780,36 @@ privilege-escalation:
get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
'
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'az account show
'
get_prereq_command: "echo Configure your Azure account using: az login. \n"
- description: 'Create dependency resources using terraform
'
prereq_command: 'try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
T1053.002:
technique:
x_mitre_platforms:
@@ -70740,6 +70845,15 @@ persistence:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform.
'
- description: 'Install-Module -Name Az
'
@@ -70750,15 +70864,36 @@ persistence:
get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
'
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'az account show
'
get_prereq_command: "echo Configure your Azure account using: az login. \n"
- description: 'Create dependency resources using terraform
'
prereq_command: 'try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
T1053.002:
technique:
x_mitre_platforms:
@@ -111708,6 +111843,15 @@ initial-access:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform.
'
- description: 'Install-Module -Name Az
'
@@ -111718,15 +111862,36 @@ initial-access:
get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
'
- description: 'Check if the user is logged into Azure.
'
prereq_command: 'az account show
'
get_prereq_command: "echo Configure your Azure account using: az login. \n"
- description: 'Create dependency resources using terraform
'
prereq_command: 'try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate
){ exit 0 } else {exit 1}} catch {exit 1}
'
get_prereq_command: |
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
T1566.003:
technique:
modified: '2023-03-30T21:01:50.401Z'
atomics/Indexes/office-365-index.yaml
+45
View File
@@ -12775,6 +12775,51 @@ defense-evasion:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
name: powershell
elevation_required: false
- name: Office 365 - Set Audit Bypass For a Mailbox
auto_generated_guid: c9a2f6fe-7197-488c-af6d-10c782121ca6
description: |
Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box.
https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default: o365_user_test
password:
description: office-365 password
type: string
default: o365_password_test
target_email:
description: office-365 target_email
type: string
default: o365_email_test
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
'
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: "Install-Module -Name ExchangeOnlineManagement \nImport-Module
ExchangeOnlineManagement\n"
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $true
cleanup_command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $false
Disconnect-ExchangeOnline -Confirm:$false
name: powershell
elevation_required: false
T1564.003:
technique:
x_mitre_platforms:
atomics/T1078.004/T1078.004.md
+35 -1
View File
@@ -101,13 +101,27 @@ $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
```
#### Cleanup Commands:
```powershell
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
```
#### Dependencies: Run with `powershell`!
##### Description: Check if terraform is installed.
##### Check Prereq Commands:
```powershell
terraform version
```
##### Get Prereq Commands:
```powershell
echo Please install terraform.
```
##### Description: Install-Module -Name Az
##### Check Prereq Commands:
```powershell
@@ -117,6 +131,26 @@ try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} el
```powershell
Install-Module -Name Az -Scope CurrentUser -Force
```
##### Description: Check if the user is logged into Azure.
##### Check Prereq Commands:
```powershell
az account show
```
##### Get Prereq Commands:
```powershell
echo Configure your Azure account using: az login.
```
##### Description: Create dependency resources using terraform
##### Check Prereq Commands:
```powershell
try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate ){ exit 0 } else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform init
terraform apply -auto-approve
```
atomics/T1078.004/T1078.004.yaml
+24 -1
View File
@@ -79,18 +79,41 @@ atomic_tests:
default: null
dependency_executor_name: powershell
dependencies:
- description: |
Check if terraform is installed.
prereq_command: |
terraform version
get_prereq_command: |
echo Please install terraform.
- description: |
Install-Module -Name Az
prereq_command: |
try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name Az -Scope CurrentUser -Force
- description: |
Check if the user is logged into Azure.
prereq_command: |
az account show
get_prereq_command: |
echo Configure your Azure account using: az login.
- description: |
Create dependency resources using terraform
prereq_command: |
try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate ){ exit 0 } else {exit 1}} catch {exit 1}
get_prereq_command: |
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform init
terraform apply -auto-approve
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-AzAccount -Credential $creds
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
name: powershell
elevation_required: false
cleanup_command: |
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/
terraform destroy -auto-approve
atomics/T1078.004/src/T1078.004-2/T1078.004-2.tf
+31
View File
@@ -0,0 +1,31 @@
terraform {
required_version = ">= 0.12"
}
provider "azurerm" {
features {
}
skip_provider_registration = true
}
variable "resource_group" {
}
variable "runbook_name" {
}
variable "automation_account_name" {
}
resource "azurerm_resource_group" "rg" {
name = var.resource_group
location = "East US"
}
resource "azurerm_automation_account" "account" {
name = var.automation_account_name
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku_name = "Basic"
}
atomics/T1078.004/src/T1078.004-2/terraform.tfvars
+3
View File
@@ -0,0 +1,3 @@
automation_account_name = ""
resource_group = ""
runbook_name = ""
atomics/T1562.008/T1562.008.md
+64
View File
@@ -22,6 +22,8 @@ For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations
- [Atomic Test #8 - AWS CloudWatch Log Stream Deletes](#atomic-test-8---aws-cloudwatch-log-stream-deletes)
- [Atomic Test #9 - Office 365 - Set Audit Bypass For a Mailbox](#atomic-test-9---office-365---set-audit-bypass-for-a-mailbox)
<br/>
@@ -576,4 +578,66 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws
<br/>
<br/>
## Atomic Test #9 - Office 365 - Set Audit Bypass For a Mailbox
Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box.
https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps
**Supported Platforms:** Office-365
**auto_generated_guid:** c9a2f6fe-7197-488c-af6d-10c782121ca6
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | office-365 username | string | o365_user_test|
| password | office-365 password | string | o365_password_test|
| target_email | office-365 target_email | string | o365_email_test|
#### Attack Commands: Run with `powershell`!
```powershell
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $true
```
#### Cleanup Commands:
```powershell
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $false
Disconnect-ExchangeOnline -Confirm:$false
```
#### Dependencies: Run with `powershell`!
##### Description: ExchangeOnlineManagement PowerShell module must be installed
##### Check Prereq Commands:
```powershell
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
```
<br/>
atomics/T1562.008/T1562.008.yaml
+45
View File
@@ -394,3 +394,48 @@ atomic_tests:
cleanup_command:
name: sh
elevation_required: false
- name: Office 365 - Set Audit Bypass For a Mailbox
auto_generated_guid: c9a2f6fe-7197-488c-af6d-10c782121ca6
description: |
Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box.
https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default: o365_user_test
password:
description: office-365 password
type: string
default: o365_password_test
target_email:
description: office-365 target_email
type: string
default: o365_email_test
dependency_executor_name: powershell
dependencies:
- description: |
ExchangeOnlineManagement PowerShell module must be installed
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $true
cleanup_command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $false
Disconnect-ExchangeOnline -Confirm:$false
name: powershell
elevation_required: false
atomics/used_guids.txt
+1
View File
@@ -1350,3 +1350,4 @@ fad04df1-5229-4185-b016-fb6010cd87ac
c3b65cd5-ee51-4e98-b6a3-6cbdec138efc
7784c64e-ed0b-4b65-bf63-c86db229fd56
899a7fb5-d197-4951-8614-f19ac4a73ad4
c9a2f6fe-7197-488c-af6d-10c782121ca6