security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2352 from m4nbat/gk-atomic-red-team-T1136.003-UPDATE

Browse Source 
GK atomic red team t1136.003 update
This commit is contained in:
Bhavin Patel
2023-03-09 14:41:47 -08:00
committed by GitHub
parent f982fdda71 6a4d1571f3
commit 8b7ba2fab9
1 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1136.003/T1136.003.yaml
+36
View File
@@ -26,3 +26,39 @@ atomic_tests:
aws iam delete-user --user-name #{username}
name: sh
elevation_required: false
- name: Azure AD - Create a new use
description: Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
supported_platforms:
- azure-ad
input_arguments:
username:
description: Display name of the new user to be created in Azure AD
type: string
default: "atomicredteam"
userprincipalname:
description: User principal name (UPN) for the new Azure user being created format email address
type: String
default: "atomicredteam@yourdomain.com"
password:
description: Password for the new Azure AD user being created
type: string
default: "reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg"
dependency_executor_name: powershell
dependencies:
- description: Check if AzureAD PowerShell module is installed
prereq_command: Get-InstalledModule -Name AzureAD
get_prereq_command: echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
- description: Check if AzureAD PowerShell module is installed
prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
executor:
command: |-
Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
$username = "#{username}"
$password = "#{password}"
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = $password
New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username
cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
name: powershell