Adding T1526 Test 1

2022-07-26 03:54:34 -05:00
parent ea2ebf426b
commit 7efbda6972
1 changed files with 51 additions and 0 deletions
@@ -0,0 +1,51 @@
+attack_technique: T1526
+display_name: Cloud Service Discovery
+atomic_tests:
+- name: Azure - Dump Subscription Data with MicroBurst
+  description: |
+    Upon successful execution, this test will enumerate all resources that are contained within a valid Azure subscription. 
+    The resources enumerated will display on screen, as well as several csv files and folders will be output to a specified directory, listing what resources were discovered by the script. 
+    See https://dev.to/cheahengsoon/enumerating-subscription-information-with-microburst-35a1
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: String
+      default: null
+    password:
+      description: Azure AD password
+      type: String
+      default: T1082Az
+    output_directory:
+      description: Directory to output results to
+      type: String
+      default: $env:temp\T1526Test1     
+    subscription_name:
+      description: Azure subscription name to scan
+      type: String
+      default: null
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The Get-AzDomainInfo script must exist in $env:temp.
+    prereq_command: |
+      if (test-path $env:temp\Get-AzDomainInfo.ps1){exit 0} else {exit 1}
+    get_prereq_command: |
+      invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/Az/Get-AzDomainInfo.ps1" -outfile "$env:temp\Get-AzDomainInfo.ps1"
+  - description: |
+      The Az module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name Az -Force
+  executor:
+    command: |
+      import-module "$env:temp\Get-AzDomainInfo.ps1"
+      $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+      Connect-AzAccount -Credential $Credential | out-null
+      Get-AzDomainInfo -folder #{output_directory} -subscription "#{subscription_name}" -verbose
+    cleanup_command: |
+      remove-item #{output_directory} -recurse -force -erroraction silentlycontinue
+    name: powershell