From f756a442c3ca53beddd3b2fc5c969dfa5c09e131 Mon Sep 17 00:00:00 2001
From: m4nbat <g.r.j.knapp@gmail.com>
Date: Tue, 28 Feb 2023 18:57:28 +0000
Subject: [PATCH 1/3] Update T1136.003.yaml

Updated T1136.003 Create Account: Cloud Account and added a new atomic test for a user being created in azure
---
 atomics/T1136.003/T1136.003.yaml | 35 ++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/atomics/T1136.003/T1136.003.yaml b/atomics/T1136.003/T1136.003.yaml
index 8c1ecee0..0f28d9ec 100644
--- a/atomics/T1136.003/T1136.003.yaml
+++ b/atomics/T1136.003/T1136.003.yaml
@@ -26,3 +26,38 @@ atomic_tests:
       aws iam delete-user --user-name #{username}
     name: sh
     elevation_required: false
+- name: Azure - Create a new user
+  auto_generated_guid: # This key and/or it's value will be added by the CI build after submitting a Pull Request
+  description: |
+    Creates a new user in Azure. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interupt the normal functions of the compromised users and can remain undetected for a long time
+  supported_platforms:
+  - iaas:azure
+  - azure-ad
+  input_arguments:
+    username:
+      description: Username displayed for the user to create in Azure
+      type: string
+      default: "atomicredteam"
+    password:
+      description: Password for the new Azure user being created
+      type: string
+      default: "atomicredteam12345ART-"
+    id:
+      description: User principal name (UPN) for the new Azure user being created format email address
+      type: string
+      default: "atomicredteam@yourdomain.com"
+  dependencies:
+  - description: |
+      Check if az PowerShell module is installed and it is connected to the target Azure tenant using Connect-AzAccount
+    prereq_command: |
+      Get-InstalledModule -Name az
+      Connect-AzAccount
+    get_prereq_command: |
+      echo Please install the az PowerShell module using the following command: Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force. Then connect to your Azure tenant using: Connect-AzAccount
+  executor:
+    command: |
+      az ad user create --display-name #{username} --password #{password} --user-principal-name #{id}
+    cleanup_command: |
+      az ad user delete --id #{id}
+    name: powershell
+    elevation_required: false   

From 16c9bcfc0785254e087e1c0251c3a2e0ecd27aad Mon Sep 17 00:00:00 2001
From: m4nbat <g.r.j.knapp@gmail.com>
Date: Thu, 2 Mar 2023 14:39:37 +0000
Subject: [PATCH 2/3] Update T1136.003.yaml

Changed the way I did the test after some additional testing and playing around.
---
 atomics/T1136.003/T1136.003.yaml | 48 +++++++++++++++++---------------
 1 file changed, 25 insertions(+), 23 deletions(-)

diff --git a/atomics/T1136.003/T1136.003.yaml b/atomics/T1136.003/T1136.003.yaml
index 0f28d9ec..2a11a2a1 100644
--- a/atomics/T1136.003/T1136.003.yaml
+++ b/atomics/T1136.003/T1136.003.yaml
@@ -26,38 +26,40 @@ atomic_tests:
       aws iam delete-user --user-name #{username}
     name: sh
     elevation_required: false
-- name: Azure - Create a new user
+- name: Azure AD - Create a new user
   auto_generated_guid: # This key and/or it's value will be added by the CI build after submitting a Pull Request
-  description: |
-    Creates a new user in Azure. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interupt the normal functions of the compromised users and can remain undetected for a long time
+  description: Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
   supported_platforms:
-  - iaas:azure
   - azure-ad
   input_arguments:
     username:
-      description: Username displayed for the user to create in Azure
+      description: Display name of the new user to be created in Azure AD
       type: string
       default: "atomicredteam"
-    password:
-      description: Password for the new Azure user being created
-      type: string
-      default: "atomicredteam12345ART-"
-    id:
+    userprincipalname:
       description: User principal name (UPN) for the new Azure user being created format email address
-      type: string
+      type: String
       default: "atomicredteam@yourdomain.com"
+    password:
+      description: Password for the new Azure AD user being created
+      type: string
+      default: "reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg"
+  dependency_executor_name: powershell
   dependencies:
-  - description: |
-      Check if az PowerShell module is installed and it is connected to the target Azure tenant using Connect-AzAccount
-    prereq_command: |
-      Get-InstalledModule -Name az
-      Connect-AzAccount
-    get_prereq_command: |
-      echo Please install the az PowerShell module using the following command: Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force. Then connect to your Azure tenant using: Connect-AzAccount
+  - description: Check if AzureAD PowerShell module is installed
+    prereq_command: Get-InstalledModule -Name AzureAD
+    get_prereq_command: echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
+  - description: Check if AzureAD PowerShell module is installed
+    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
+    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
   executor:
-    command: |
-      az ad user create --display-name #{username} --password #{password} --user-principal-name #{id}
-    cleanup_command: |
-      az ad user delete --id #{id}
+    command: |-
+      Connect-AzureAD
+      $userprincipalname = "#{userprincipalname}"
+      $username = "#{username}"      
+      $password = "#{password}"
+      $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
+      $PasswordProfile.Password = $password
+      New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username      
+    cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
     name: powershell
-    elevation_required: false   

From 6a4d1571f3debbca9b019e887a2805f7b8d5941e Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bhavin.j.patel91@gmail.com>
Date: Thu, 9 Mar 2023 14:39:07 -0800
Subject: [PATCH 3/3] remove guid key

---
 atomics/T1136.003/T1136.003.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/atomics/T1136.003/T1136.003.yaml b/atomics/T1136.003/T1136.003.yaml
index 2a11a2a1..eb59f4ec 100644
--- a/atomics/T1136.003/T1136.003.yaml
+++ b/atomics/T1136.003/T1136.003.yaml
@@ -26,8 +26,7 @@ atomic_tests:
       aws iam delete-user --user-name #{username}
     name: sh
     elevation_required: false
-- name: Azure AD - Create a new user
-  auto_generated_guid: # This key and/or it's value will be added by the CI build after submitting a Pull Request
+- name: Azure AD - Create a new use
   description: Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
   supported_platforms:
   - azure-ad