diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 8421e1e0..947889a3 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -573,4 +573,52 @@ atomic_tests: cleanup_command: | cmd /c #{DefenderControlExe} /E | Out-Null name: powershell - elevation_required: true + elevation_required: true +- name: Azure-Defense-Evasion-Eventhub-Deletion + auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719 + description: | + Identifies an Event Hub deletion in Azure + supported_platforms: + - azure-ad + input_arguments: + username: + description: Azure username + type: String + default: null + password: + description: Azure password + type: String + default: null + event_hub_name: + description: Name of the eventhub + type: String + default: "test_eventhub" + resource_group: + description: Name of the resource group + type: String + default: null + name_space_name: + description: Name of the NameSpace + type: String + default: null + dependency_executor_name: powershell + dependencies: + - description: | + Install-Module -Name Az + prereq_command: | + try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} + get_prereq_command: | + Install-Module -Name AzureAD -Force + executor: + command: | + $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force + $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd + Connect-AzureAD -Credential $creds + New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name} + cleanup_command: | + $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force + $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd + Connect-AzureAD -Credential $creds + Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name} + name: powershell + elevation_required: false