From 949d151fc2cd519764e2629b2391a9d49d3d8dee Mon Sep 17 00:00:00 2001
From: Gavin Knapp <g.r.j.knapp@gmail.com>
Date: Sat, 11 Mar 2023 14:03:40 +0000
Subject: [PATCH] Update T1531.yaml

Added two account deletion tests for Azure AD, one via Azure CLI and another using AzureAD PowerShell Module
---
 atomics/T1531/T1531.yaml | 51 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/atomics/T1531/T1531.yaml b/atomics/T1531/T1531.yaml
index 8b87251d..5e939429 100644
--- a/atomics/T1531/T1531.yaml
+++ b/atomics/T1531/T1531.yaml
@@ -88,3 +88,54 @@ atomic_tests:
       }
     name: powershell
     elevation_required: false
+- name: Azure AD - Delete user via Azure AD PowerShell
+  description: Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    userprincipalname:
+      description: User principal name (UPN) for the Azure user being deleted
+      type: String
+      default: "atomicredteam@yourdomain.com"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: Check if AzureAD PowerShell module is installed
+    prereq_command: Get-InstalledModule -Name AzureAD
+    get_prereq_command: echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
+  - description: Check if AzureAD PowerShell module is installed
+    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
+    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+  executor:
+    command: |-
+      Connect-AzureAD
+      $userprincipalname = "#{userprincipalname}"
+      Remove-AzureADUser -ObjectId $userprincipalname      
+    cleanup_command: N/A
+    name: powershell
+- name: Azure AD - Delete user via Azure CLI
+  description: Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    userprincipalname:
+      description: User principal name (UPN) for the Azure user being deleted
+      type: String
+      default: "atomicredteam@yourdomain.com"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: Check if Azure CLI is installed and install manually
+    prereq_command: az account list
+    get_prereq_command: echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
+  - description: Check if Azure CLI is installed and install via PowerShell
+    prereq_command: az account list
+    get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
+  - description: Update the userprincipalname to meet your requirements  
+    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
+    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+  executor:
+    command: |-
+      az login
+      $userprincipalname = "#{userprincipalname}"
+      az ad user delete --id $userprincipalname
+    cleanup_command: N/A
+    name: powershell