Merge branch 'master' into Awfulshred-TTPs

2023-02-22 22:18:44 -05:00
parent d80db05f43 eaa3105334
commit dd12affe80
22 changed files with 557 additions and 45 deletions
@@ -20,3 +20,14 @@ jobs:
      - name: validate the format of atomics tests against the spec
        run: |
          bin/validate-atomics.rb
+
+  validate-terraform:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: hashicorp/setup-terraform@v2
+
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -recursive -check
+        continue-on-error: false
@@ -25,5 +25,34 @@ docs/_site/
 **/Invoke-AtomicTest-ExecutionLog.csv
 techniques_hash.db

-# Credential files 
-*.creds
+# Credential files
+*.creds
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+**/*.terraform.lock.hcl
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
@@ -724,6 +724,8 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is runn
 execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
+execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -276,6 +276,8 @@ execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is runn
 execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
 execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
+execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
+execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,bash
 execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
 execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
@@ -1108,6 +1108,8 @@
  - Atomic Test #7: What shells are available [linux]
  - Atomic Test #8: Command line scripts [linux]
  - Atomic Test #9: Obfuscated command line scripts [linux]
+  - Atomic Test #10: Change login shell [linux]
+  - Atomic Test #11: Environment variable scripts [linux]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -660,6 +660,8 @@
  - Atomic Test #7: What shells are available [linux]
  - Atomic Test #8: Command line scripts [linux]
  - Atomic Test #9: Obfuscated command line scripts [linux]
+  - Atomic Test #10: Change login shell [linux]
+  - Atomic Test #11: Environment variable scripts [linux]
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -11678,21 +11678,40 @@ defense-evasion:
      - description: 'Check if ~/.aws/credentials file has a default stanza is configured

          '
-        prereq_command: |
-          cat ~/.aws/credentials | grep "default"
-          aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region}
-          aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json
-        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
-          defult profile using: aws configure
+        prereq_command: 'cat ~/.aws/credentials | grep "default"

          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          default profile using: aws configure
+
+          '
+      - description: 'Check if terraform is installed.
+
+          '
+        prereq_command: 'terraform version
+
+          '
+        get_prereq_command: "echo Please install the terraform and configure your
+          aws default profile \n"
+      - description: 'Check if the dependency resources are already present.
+
+          '
+        prereq_command: 'if [ -f $PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate
+          ]; then exit 0; else exit 1; fi;
+
+          '
+        get_prereq_command: |
+          cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/
+          terraform init
+          terraform apply -auto-approve
      executor:
        command: |
-          aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region}
          aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
          aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
          aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
-        cleanup_command: "aws s3 rb s3://#{s3_bucket_name} --force \n"
+        cleanup_command: |
+          cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/
+          terraform destroy -auto-approve
        name: sh
        elevation_required: false
    - name: AWS - CloudWatch Log Group Deletes
@@ -11695,15 +11695,44 @@ defense-evasion:
        get_prereq_command: 'Install-Module -Name AzureAD -Force

          '
+      - description: 'Check if terraform is installed.
+
+          '
+        prereq_command: 'terraform version
+
+          '
+        get_prereq_command: 'echo Please install the terraform.
+
+          '
+      - description: 'Check if the user is logged into Azure.
+
+          '
+        prereq_command: 'az account show
+
+          '
+        get_prereq_command: "echo Configure your Azure account using: az login. \n"
+      - description: 'Create dependency resources using terraform
+
+          '
+        prereq_command: 'try {if (Test-Path $PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate
+          ){ exit 0 } else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: |
+          cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/
+          terraform init
+          terraform apply -auto-approve
      executor:
        command: |
          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
          Connect-AzureAD -Credential $creds
-          New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
          Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
        name: powershell
        elevation_required: false
+        cleanup_command: |
+          cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/
+          terraform destroy -auto-approve
  T1564.003:
    technique:
      x_mitre_platforms:
@@ -22203,21 +22203,40 @@ defense-evasion:
      - description: 'Check if ~/.aws/credentials file has a default stanza is configured

          '
-        prereq_command: |
-          cat ~/.aws/credentials | grep "default"
-          aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region}
-          aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json
-        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
-          defult profile using: aws configure
+        prereq_command: 'cat ~/.aws/credentials | grep "default"

          '
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          default profile using: aws configure
+
+          '
+      - description: 'Check if terraform is installed.
+
+          '
+        prereq_command: 'terraform version
+
+          '
+        get_prereq_command: "echo Please install the terraform and configure your
+          aws default profile \n"
+      - description: 'Check if the dependency resources are already present.
+
+          '
+        prereq_command: 'if [ -f $PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate
+          ]; then exit 0; else exit 1; fi;
+
+          '
+        get_prereq_command: |
+          cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/
+          terraform init
+          terraform apply -auto-approve
      executor:
        command: |
-          aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region}
          aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
          aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
          aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
-        cleanup_command: "aws s3 rb s3://#{s3_bucket_name} --force \n"
+        cleanup_command: |
+          cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/
+          terraform destroy -auto-approve
        name: sh
        elevation_required: false
    - name: Azure - Eventhub Deletion
@@ -22262,15 +22281,44 @@ defense-evasion:
        get_prereq_command: 'Install-Module -Name AzureAD -Force

          '
+      - description: 'Check if terraform is installed.
+
+          '
+        prereq_command: 'terraform version
+
+          '
+        get_prereq_command: 'echo Please install the terraform.
+
+          '
+      - description: 'Check if the user is logged into Azure.
+
+          '
+        prereq_command: 'az account show
+
+          '
+        get_prereq_command: "echo Configure your Azure account using: az login. \n"
+      - description: 'Create dependency resources using terraform
+
+          '
+        prereq_command: 'try {if (Test-Path $PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate
+          ){ exit 0 } else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: |
+          cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/
+          terraform init
+          terraform apply -auto-approve
      executor:
        command: |
          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
          Connect-AzureAD -Credential $creds
-          New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
          Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
        name: powershell
        elevation_required: false
+        cleanup_command: |
+          cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/
+          terraform destroy -auto-approve
    - name: Office 365 - Exchange Audit Log Disabled
      auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c
      description: |
@@ -47526,6 +47574,56 @@ execution:
        elevation_required: false
        command: "ART=$(echo -n \"id\" |base64 -w 0)\necho \"\\$ART=$ART\"\necho -n
          \"$ART\" |base64 -d |/bin/bash\nunset ART \n"
+    - name: Change login shell
+      auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
+      description: "An adversary may want to use a different login shell. The chsh
+        command changes the user login shell. The following test, creates an art user
+        with a /bin/bash shell, changes the users shell to sh, then deletes the art
+        user. \n"
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'chsh - change login shell, must be installed
+
+          '
+        prereq_command: 'if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit
+          1"; exit 1; fi
+
+          '
+        get_prereq_command: 'echo "Automated installer not implemented yet, please
+          install chsh manually"
+
+          '
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd -s /bin/bash art
+          cat /etc/passwd |grep ^art
+          chsh -s /bin/sh art
+          cat /etc/passwd |grep ^art
+        cleanup_command: 'userdel art
+
+          '
+    - name: Environment variable scripts
+      auto_generated_guid: bdaebd56-368b-4970-a523-f905ff4a8a51
+      description: 'An adversary may place scripts in an environment variable because
+        they can''t or don''t wish to create script files on the host. The following
+        test, in a bash shell, exports the ART variable containing an echo command,
+        then pipes the variable to /bin/bash
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          export ART='echo "Atomic Red Team was here... T1059.004"'
+          echo $ART |/bin/bash
+        cleanup_command: 'unset ART
+
+          '
  T1559:
    technique:
      x_mitre_platforms:
@@ -30881,6 +30881,56 @@ execution:
        elevation_required: false
        command: "ART=$(echo -n \"id\" |base64 -w 0)\necho \"\\$ART=$ART\"\necho -n
          \"$ART\" |base64 -d |/bin/bash\nunset ART \n"
+    - name: Change login shell
+      auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
+      description: "An adversary may want to use a different login shell. The chsh
+        command changes the user login shell. The following test, creates an art user
+        with a /bin/bash shell, changes the users shell to sh, then deletes the art
+        user. \n"
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'chsh - change login shell, must be installed
+
+          '
+        prereq_command: 'if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit
+          1"; exit 1; fi
+
+          '
+        get_prereq_command: 'echo "Automated installer not implemented yet, please
+          install chsh manually"
+
+          '
+      executor:
+        name: bash
+        elevation_required: true
+        command: |
+          useradd -s /bin/bash art
+          cat /etc/passwd |grep ^art
+          chsh -s /bin/sh art
+          cat /etc/passwd |grep ^art
+        cleanup_command: 'userdel art
+
+          '
+    - name: Environment variable scripts
+      auto_generated_guid: bdaebd56-368b-4970-a523-f905ff4a8a51
+      description: 'An adversary may place scripts in an environment variable because
+        they can''t or don''t wish to create script files on the host. The following
+        test, in a bash shell, exports the ART variable containing an echo command,
+        then pipes the variable to /bin/bash
+
+        '
+      supported_platforms:
+      - linux
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          export ART='echo "Atomic Red Team was here... T1059.004"'
+          echo $ART |/bin/bash
+        cleanup_command: 'unset ART
+
+          '
  T1559:
    technique:
      x_mitre_platforms:
@@ -26,6 +26,10 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter

 - [Atomic Test #9 - Obfuscated command line scripts](#atomic-test-9---obfuscated-command-line-scripts)

+- [Atomic Test #10 - Change login shell](#atomic-test-10---change-login-shell)
+
+- [Atomic Test #11 - Environment variable scripts](#atomic-test-11---environment-variable-scripts)
+

 <br/>

@@ -355,4 +359,84 @@ unset ART



+<br/>
+<br/>
+
+## Atomic Test #10 - Change login shell
+An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+useradd -s /bin/bash art
+cat /etc/passwd |grep ^art
+chsh -s /bin/sh art
+cat /etc/passwd |grep ^art
+```
+
+#### Cleanup Commands:
+```bash
+userdel art
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: chsh - change login shell, must be installed
+##### Check Prereq Commands:
+```bash
+if [ -f /usr/bin/chsh ]; then echo "exit 0"; else echo "exit 1"; exit 1; fi
+```
+##### Get Prereq Commands:
+```bash
+echo "Automated installer not implemented yet, please install chsh manually"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Environment variable scripts
+An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** bdaebd56-368b-4970-a523-f905ff4a8a51
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+export ART='echo "Atomic Red Team was here... T1059.004"'
+echo $ART |/bin/bash
+```
+
+#### Cleanup Commands:
+```bash
+unset ART
+```
+
+
+
+
+
 <br/>
@@ -163,6 +163,7 @@ atomic_tests:
      echo -n "$ART" |base64 -d |/bin/bash
      unset ART 
 - name: Change login shell
+  auto_generated_guid: c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
  description: |
    An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user. 
  supported_platforms:
@@ -185,6 +186,7 @@ atomic_tests:
    cleanup_command: | 
      userdel art
 - name: Environment variable scripts
+  auto_generated_guid: bdaebd56-368b-4970-a523-f905ff4a8a51
  description: |
    An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
  supported_platforms:
@@ -51,7 +51,6 @@ Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop an


 ```sh
-aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region}
 aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
 aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
 aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
@@ -59,7 +58,8 @@ aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}

 #### Cleanup Commands:
 ```sh
-aws s3 rb s3://#{s3_bucket_name} --force
+cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/
+terraform destroy -auto-approve
 ```


@@ -69,12 +69,30 @@ aws s3 rb s3://#{s3_bucket_name} --force
 ##### Check Prereq Commands:
 ```sh
 cat ~/.aws/credentials | grep "default"
-aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region}
-aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json
 ```
 ##### Get Prereq Commands:
 ```sh
-echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+echo Please install the aws-cli and configure your AWS default profile using: aws configure
+```
+##### Description: Check if terraform is installed.
+##### Check Prereq Commands:
+```sh
+terraform version
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the terraform and configure your aws default profile
+```
+##### Description: Check if the dependency resources are already present.
+##### Check Prereq Commands:
+```sh
+if [ -f $PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/
+terraform init
+terraform apply -auto-approve
 ```


@@ -115,10 +133,14 @@ https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
 $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
 $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
 Connect-AzureAD -Credential $creds
-New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
 Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
 ```

+#### Cleanup Commands:
+```powershell
+cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/
+terraform destroy -auto-approve
+```



@@ -132,6 +154,35 @@ try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit
 ```powershell
 Install-Module -Name AzureAD -Force
 ```
+##### Description: Check if terraform is installed.
+##### Check Prereq Commands:
+```powershell
+terraform version
+```
+##### Get Prereq Commands:
+```powershell
+echo Please install the terraform.
+```
+##### Description: Check if the user is logged into Azure.
+##### Check Prereq Commands:
+```powershell
+az account show
+```
+##### Get Prereq Commands:
+```powershell
+echo Configure your Azure account using: az login.
+```
+##### Description: Create dependency resources using terraform
+##### Check Prereq Commands:
+```powershell
+try {if (Test-Path $PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate ){ exit 0 } else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/
+terraform init
+terraform apply -auto-approve
+```



@@ -21,22 +21,34 @@ atomic_tests:
      type: string
      default: "us-east-1"
  dependencies:
-  - description: |
-      Check if ~/.aws/credentials file has a default stanza is configured
-    prereq_command: |
-      cat ~/.aws/credentials | grep "default"
-      aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region}
-      aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json
-    get_prereq_command: |
-      echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+    - description: |
+        Check if ~/.aws/credentials file has a default stanza is configured
+      prereq_command: |
+        cat ~/.aws/credentials | grep "default"
+      get_prereq_command: |
+        echo Please install the aws-cli and configure your AWS default profile using: aws configure
+    - description: |
+        Check if terraform is installed.
+      prereq_command: |
+        terraform version
+      get_prereq_command: |
+        echo Please install the terraform and configure your aws default profile 
+    - description: |
+        Check if the dependency resources are already present.
+      prereq_command: |
+        if [ -f $PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate ]; then exit 0; else exit 1; fi;
+      get_prereq_command: |
+        cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/
+        terraform init
+        terraform apply -auto-approve
  executor:
    command: |
-      aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region}
-      aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
-      aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
-      aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
+       aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name}  --is-multi-region-trail --region #{region}
+       aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
+       aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
    cleanup_command: |
-      aws s3 rb s3://#{s3_bucket_name} --force 
+      cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/
+      terraform destroy -auto-approve
    name: sh
    elevation_required: false
 - name: Azure - Eventhub Deletion
@@ -77,15 +89,37 @@ atomic_tests:
      try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
    get_prereq_command: |
      Install-Module -Name AzureAD -Force
+  - description: |
+      Check if terraform is installed.
+    prereq_command: |
+      terraform version
+    get_prereq_command: |
+        echo Please install the terraform.
+  - description: |
+      Check if the user is logged into Azure.
+    prereq_command: |
+      az account show
+    get_prereq_command: |
+      echo Configure your Azure account using: az login. 
+  - description: |
+      Create dependency resources using terraform
+    prereq_command: |
+      try {if (Test-Path $PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate ){ exit 0 } else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/
+      terraform init
+      terraform apply -auto-approve
  executor:
    command: |
      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
      Connect-AzureAD -Credential $creds
-      New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
      Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
    name: powershell
    elevation_required: false
+    cleanup_command: |
+      cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/
+      terraform destroy -auto-approve
 - name: Office 365 - Exchange Audit Log Disabled
  auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c
  description: |
@@ -218,7 +252,6 @@ atomic_tests:
      cat ~/.aws/credentials | grep "default"
    get_prereq_command: |
      echo Please install the aws-cli and configure your AWS defult profile using: aws configure
-
  executor:
    command: |
      export AWS_REGION=#{aws_region} 
@@ -0,0 +1,35 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
+provider "aws" {
+}
+
+variable "cloudtrail_name" {
+}
+
+variable "s3_bucket_name" {
+}
+
+variable "region" {
+}
+
+resource "aws_s3_bucket" "some_bucket" {
+  bucket        = var.s3_bucket_name
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_policy" "some_policy" {
+  bucket = aws_s3_bucket.some_bucket.id
+  policy = templatefile("policy.json", {
+    cloudtrail_name = "${var.cloudtrail_name}"
+    s3_bucket_name  = "${var.s3_bucket_name}"
+    region          = "${var.region}"
+  })
+}
+
+resource "aws_cloudtrail" "some_cloudtrail" {
+  s3_bucket_name = aws_s3_bucket.some_bucket.id
+  name           = var.cloudtrail_name
+}
+
@@ -8,7 +8,7 @@
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
-            "Resource": "arn:aws:s3:::redatomic-test"
+            "Resource": "arn:aws:s3:::${s3_bucket_name}"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
@@ -17,7 +17,7 @@
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
-            "Resource": "arn:aws:s3:::redatomic-test/AWSLogs/*",
+            "Resource": "arn:aws:s3:::${s3_bucket_name}/AWSLogs/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
@@ -0,0 +1,6 @@
+cloudtrail_name = "redatomictesttrail"
+
+s3_bucket_name = "redatomic-test"
+
+region = "us-east-1"
+
@@ -0,0 +1,45 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
+provider "azurerm" {
+  features {
+  }
+  skip_provider_registration = true
+}
+
+variable "username" {
+}
+
+variable "password" {
+}
+
+variable "event_hub_name" {
+}
+
+variable "resource_group" {
+}
+
+variable "name_space_name" {
+}
+
+resource "azurerm_resource_group" "some_resource_group" {
+  name     = var.resource_group
+  location = "East US"
+}
+
+resource "azurerm_eventhub_namespace" "some_namespace" {
+  name                = var.name_space_name
+  location            = azurerm_resource_group.some_resource_group.location
+  resource_group_name = azurerm_resource_group.some_resource_group.name
+  sku                 = "Standard"
+}
+
+resource "azurerm_eventhub" "some_eventhub" {
+  name                = var.event_hub_name
+  namespace_name      = azurerm_eventhub_namespace.some_namespace.name
+  resource_group_name = azurerm_resource_group.some_resource_group.name
+  message_retention   = 1
+  partition_count     = 2
+}
+
@@ -0,0 +1,10 @@
+username = ""
+
+password = ""
+
+event_hub_name = "test_eventhub"
+
+resource_group = ""
+
+name_space_name = ""
+
@@ -1241,3 +1241,5 @@ cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a
 53ead5db-7098-4111-bb3f-563be390e72e
 8e36da01-cd29-45fd-be72-8a0fcaad4481
 3fb46e17-f337-4c14-9f9a-a471946533e2
+c7ac59cb-13cc-4622-81dc-6d2fee9bfac7
+bdaebd56-368b-4970-a523-f905ff4a8a51