From d8aa2f4f700f46f94841c3b3a55369eadceb7ab5 Mon Sep 17 00:00:00 2001
From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com>
Date: Sat, 5 Aug 2023 10:47:06 +1000
Subject: [PATCH] Create T1098.003.yaml (#2478)

* Create T1098.003.yaml

* add header info

---------

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: Hare Sudhan <code@0x6c.dev>
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
---
 atomics/T1098.003/T1098.003.yaml | 41 ++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 atomics/T1098.003/T1098.003.yaml

diff --git a/atomics/T1098.003/T1098.003.yaml b/atomics/T1098.003/T1098.003.yaml
new file mode 100644
index 00000000..d89bd1cd
--- /dev/null
+++ b/atomics/T1098.003/T1098.003.yaml
@@ -0,0 +1,41 @@
+attack_technique: T1098.003
+display_name: 'Account Manipulation: Additional Cloud Roles'
+atomic_tests:
+- name: Azure AD - Add Company Administrator Role to a user
+  auto_generated_guid: 4d77f913-56f5-4a14-b4b1-bf7bb24298ad
+  description: |
+    Add an existing Azure user account the Company Administrator Role.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: string
+      default: jonh@contoso.com
+    password:
+      description: Azure AD password
+      type: string
+      default: p4sswd
+    target_user:
+      description: Name of the user who will be assigned the Company Admin role
+      type: string
+      default: default
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+     MSOnline module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name MSOnline -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name MSOnline -Force
+  executor:
+    command: |
+      Import-Module MSOnline
+      $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+      Connect-MsolService -Credential $Credential
+      Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
+    cleanup_command: |
+      Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
+    name: powershell
+    elevation_required: false