From 329a9d75b6ae50f1b57e25e0172b80d4264afd05 Mon Sep 17 00:00:00 2001
From: Leo Verlod <96517806+Leomon5@users.noreply.github.com>
Date: Mon, 1 Aug 2022 20:14:13 -0500
Subject: [PATCH] Adding T1552.005 Test 2 - Azure - Dump Azure Instance
 Metadata from Virtual Machines

---
 atomics/T1552.005/T1552.005.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/atomics/T1552.005/T1552.005.yaml b/atomics/T1552.005/T1552.005.yaml
index f6996ffc..25141470 100644
--- a/atomics/T1552.005/T1552.005.yaml
+++ b/atomics/T1552.005/T1552.005.yaml
@@ -44,3 +44,20 @@ atomic_tests:
       remove-item $env:temp\T1552.005Test1.txt -force -erroraction silentlycontinue
     name: powershell
     elevation_required: true
+- name: Azure - Dump Azure Instance Metadata from Virtual Machines
+  description: |
+    This test invokes a web request to the default Instance Metadata API of 169.254.169.254 in order to dump the data contained within it to a file. 
+    See: https://www.sans.org/blog/cloud-instance-metadata-services-imds-/
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    output_file:
+      description: File to output metadata to
+      type: String
+      default: $env:temp\T1552.005Test2.txt
+  executor:
+    command: |
+      Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64 > #{output_file}
+    cleanup_command: |
+      remove-item #{output_file} -force -erroraction silentlycontinue
+    name: powershell