Generated docs from job=generate-docs branch=master [ci skip]

2023-03-09 22:42:27 +00:00
parent aaf3fd5992
commit b65e562290
9 changed files with 162 additions and 4 deletions
@@ -1 +1 @@
-{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
+{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- Azure AD - Create a new use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
@@ -7,6 +7,7 @@ defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD
 privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
+persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new use,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
 persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
 persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
 persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
@@ -861,6 +861,7 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
 persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
 persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
+persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new use,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
@@ -59,7 +59,8 @@
 - [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
  - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
  - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
- T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
+  - Atomic Test #2: Azure AD - Create a new use [azure-ad]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
  - Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
@@ -1371,6 +1371,7 @@
  - Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
 - [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
+  - Atomic Test #2: Azure AD - Create a new use [azure-ad]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
  - Atomic Test #2: Domain Account and Group Manipulate [windows]
@@ -36518,7 +36518,50 @@ persistence:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1136.003
-    atomic_tests: []
+    atomic_tests:
+    - name: Azure AD - Create a new use
+      auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
+      description: Creates a new user in Azure AD. Upon successful creation, a new
+        user will be created. Adversaries create new users so that their malicious
+        activity does not interrupt the normal functions of the compromised users
+        and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Get-InstalledModule -Name AzureAD
+        get_prereq_command: echo "use the following to install AzureAD PowerShell
+          module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery
+          -Force"
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "Connect-AzureAD\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\n$PasswordProfile =
+          New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile\n$PasswordProfile.Password
+          = $password\nNew-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile
+          -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName
+          $username      "
+        cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
+        name: powershell
  T1098:
    technique:
      x_mitre_platforms:
@@ -60499,6 +60499,49 @@ persistence:
          '
        name: sh
        elevation_required: false
+    - name: Azure AD - Create a new use
+      auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
+      description: Creates a new user in Azure AD. Upon successful creation, a new
+        user will be created. Adversaries create new users so that their malicious
+        activity does not interrupt the normal functions of the compromised users
+        and can remain undetected for a long time.
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Display name of the new user to be created in Azure AD
+          type: string
+          default: atomicredteam
+        userprincipalname:
+          description: User principal name (UPN) for the new Azure user being created
+            format email address
+          type: String
+          default: atomicredteam@yourdomain.com
+        password:
+          description: Password for the new Azure AD user being created
+          type: string
+          default: reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Get-InstalledModule -Name AzureAD
+        get_prereq_command: echo "use the following to install AzureAD PowerShell
+          module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery
+          -Force"
+      - description: Check if AzureAD PowerShell module is installed
+        prereq_command: Update the input arguments so the userprincipalname value
+          is accurate for your environment
+        get_prereq_command: echo "Update the input arguments in the .yaml file so
+          that the userprincipalname value is accurate for your environment"
+      executor:
+        command: "Connect-AzureAD\n$userprincipalname = \"#{userprincipalname}\"\n$username
+          = \"#{username}\"      \n$password = \"#{password}\"\n$PasswordProfile =
+          New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile\n$PasswordProfile.Password
+          = $password\nNew-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile
+          -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName
+          $username      "
+        cleanup_command: Remove-AzureADUser -ObjectId "#{userprincipalname}"
+        name: powershell
  T1098:
    technique:
      x_mitre_platforms:
@@ -8,6 +8,8 @@ Adversaries may create accounts that only have access to specific cloud services

 - [Atomic Test #1 - AWS - Create a new IAM user](#atomic-test-1---aws---create-a-new-iam-user)

+- [Atomic Test #2 - Azure AD - Create a new use](#atomic-test-2---azure-ad---create-a-new-use)
+

 <br/>

@@ -57,4 +59,70 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws



+<br/>
+<br/>
+
+## Atomic Test #2 - Azure AD - Create a new use
+Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** e62d23ef-3153-4837-8625-fa4a3829134d
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Display name of the new user to be created in Azure AD | string | atomicredteam|
+| userprincipalname | User principal name (UPN) for the new Azure user being created format email address | String | atomicredteam@yourdomain.com|
+| password | Password for the new Azure AD user being created | string | reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Connect-AzureAD
+$userprincipalname = "#{userprincipalname}"
+$username = "#{username}"      
+$password = "#{password}"
+$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
+$PasswordProfile.Password = $password
+New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-AzureADUser -ObjectId "#{userprincipalname}"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if AzureAD PowerShell module is installed
+##### Check Prereq Commands:
+```powershell
+Get-InstalledModule -Name AzureAD
+```
+##### Get Prereq Commands:
+```powershell
+echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
+```
+##### Description: Check if AzureAD PowerShell module is installed
+##### Check Prereq Commands:
+```powershell
+Update the input arguments so the userprincipalname value is accurate for your environment
+```
+##### Get Prereq Commands:
+```powershell
+echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
+```
+
+
+
+
 <br/>