From f6c76daca09354a5788a16f839efab2a95eb135e Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Mon, 28 Apr 2025 16:43:38 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- .../art-navigator-layer-azure-ad.json | 2 +- .../art-navigator-layer-office-365.json | 2 +- .../Indexes/Indexes-CSV/office-365-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 2 +- .../Indexes-Markdown/office-365-index.md | 3 +- atomics/Indexes/azure-ad-index.yaml | 53 +------------------ atomics/Indexes/index.yaml | 2 +- atomics/Indexes/office-365-index.yaml | 53 ++++++++++++++++++- atomics/T1564.008/T1564.008.md | 2 +- 9 files changed, 61 insertions(+), 59 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json index ea2d25a8..edaafde0 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json index adaca172..76a6e006 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json @@ -1 +1 @@ -{"name":"Atomic Red Team (Office-365)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]} \ No newline at end of file +{"name":"Atomic Red Team (Office-365)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/office-365-index.csv b/atomics/Indexes/Indexes-CSV/office-365-index.csv index 7f45a7dc..7385bf16 100644 --- a/atomics/Indexes/Indexes-CSV/office-365-index.csv +++ b/atomics/Indexes/Indexes-CSV/office-365-index.csv @@ -1,6 +1,7 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name collection,T1114.003,Email Collection: Email Forwarding Rule,1,Office365 - Email Forwarding,3234117e-151d-4254-9150-3d0bac41e38c,powershell collection,T1114.002,Email Collection: Remote Email Collection,1,Office365 - Remote Mail Collected,36657d95-d9d6-4fbf-8a31-f4085607bafd,powershell +defense-evasion,T1564.008,Hide Artifacts: Email Hiding Rules,1,New-Inbox Rule to Hide E-mail in M365,30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9,powershell defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell persistence,T1098.002,Account Manipulation: Additional Email Delegate Permissions,1,EXO - Full access mailbox permission granted to a user,17d046be-fdd0-4cbb-b5c7-55c85d9d0714,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 5517f3b9..be8dad66 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -50,7 +50,7 @@ - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows] - T1666 Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1564.008 Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) - - Atomic Test #1: New-Inbox Rule to Hide E-mail in M365 [azure-ad] + - Atomic Test #1: New-Inbox Rule to Hide E-mail in M365 [office-365] - T1027.013 Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1014 Rootkit](../../T1014/T1014.md) - Atomic Test #1: Loadable Kernel Module based Rootkit [linux] diff --git a/atomics/Indexes/Indexes-Markdown/office-365-index.md b/atomics/Indexes/Indexes-Markdown/office-365-index.md index b725ba52..2616ceaf 100644 --- a/atomics/Indexes/Indexes-Markdown/office-365-index.md +++ b/atomics/Indexes/Indexes-Markdown/office-365-index.md @@ -29,7 +29,8 @@ - T1213.005 Messaging Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) # defense-evasion -- T1564.008 Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) +- [T1564.008 Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) + - Atomic Test #1: New-Inbox Rule to Hide E-mail in M365 [office-365] - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1070.008 Email Collection: Mailbox Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) diff --git a/atomics/Indexes/azure-ad-index.yaml b/atomics/Indexes/azure-ad-index.yaml index bd23dd98..155a1d1e 100644 --- a/atomics/Indexes/azure-ad-index.yaml +++ b/atomics/Indexes/azure-ad-index.yaml @@ -1038,58 +1038,7 @@ defense-evasion: x_mitre_attack_spec_version: 3.2.0 x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 identifier: T1564.008 - atomic_tests: - - name: New-Inbox Rule to Hide E-mail in M365 - auto_generated_guid: 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9 - description: | - This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body. - Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf - supported_platforms: - - azure-ad - input_arguments: - auth_username: - description: M365 Username - type: string - default: john@contoso.com - auth_password: - description: M365 Password - type: string - default: p4sswd - mail_rulename: - description: Name of the inbox rule. - type: string - default: default - target_mailbox: - description: Mailbox you are creating the rule in - type: string - default: jane@contoso.com - dependency_executor_name: powershell - dependencies: - - description: 'ExchangeOnlineManagement module must be installed. - - ' - prereq_command: 'try {if (Get-InstalledModule -Name ExchangeOnlineManagement - -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} - - ' - get_prereq_command: 'Install-Module -Name ExchangeOnlineManagement -Force - - ' - executor: - command: | - Import-Module ExchangeOnlineManagement - $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force - $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password - Connect-ExchangeOnline -Credential $credential -ErrorAction:SilentlyContinue - New-InboxRule -Mailbox #{target_mailbox} -Name #{mail_rulename} -SubjectOrBodyContainsWords ("phish","malware","hacked") -Confirm:$false -DeleteMessage:$true - cleanup_command: | - Import-Module ExchangeOnlineManagement - $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force - $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password - Connect-ExchangeOnline -Credential $credential - Remove-InboxRule -Mailbox #{target_mailbox} -Identity #{mail_rulename} -Confirm:$false - name: powershell - elevation_required: false + atomic_tests: [] T1027.013: technique: modified: '2024-10-15T16:32:45.108Z' diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index cb450f32..5eb1831f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1987,7 +1987,7 @@ defense-evasion: This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body. Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf supported_platforms: - - azure-ad + - office-365 input_arguments: auth_username: description: M365 Username diff --git a/atomics/Indexes/office-365-index.yaml b/atomics/Indexes/office-365-index.yaml index c80632a6..de998da2 100644 --- a/atomics/Indexes/office-365-index.yaml +++ b/atomics/Indexes/office-365-index.yaml @@ -1038,7 +1038,58 @@ defense-evasion: x_mitre_attack_spec_version: 3.2.0 x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 identifier: T1564.008 - atomic_tests: [] + atomic_tests: + - name: New-Inbox Rule to Hide E-mail in M365 + auto_generated_guid: 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9 + description: | + This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body. + Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf + supported_platforms: + - office-365 + input_arguments: + auth_username: + description: M365 Username + type: string + default: john@contoso.com + auth_password: + description: M365 Password + type: string + default: p4sswd + mail_rulename: + description: Name of the inbox rule. + type: string + default: default + target_mailbox: + description: Mailbox you are creating the rule in + type: string + default: jane@contoso.com + dependency_executor_name: powershell + dependencies: + - description: 'ExchangeOnlineManagement module must be installed. + + ' + prereq_command: 'try {if (Get-InstalledModule -Name ExchangeOnlineManagement + -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} + + ' + get_prereq_command: 'Install-Module -Name ExchangeOnlineManagement -Force + + ' + executor: + command: | + Import-Module ExchangeOnlineManagement + $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force + $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password + Connect-ExchangeOnline -Credential $credential -ErrorAction:SilentlyContinue + New-InboxRule -Mailbox #{target_mailbox} -Name #{mail_rulename} -SubjectOrBodyContainsWords ("phish","malware","hacked") -Confirm:$false -DeleteMessage:$true + cleanup_command: | + Import-Module ExchangeOnlineManagement + $password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force + $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password + Connect-ExchangeOnline -Credential $credential + Remove-InboxRule -Mailbox #{target_mailbox} -Identity #{mail_rulename} -Confirm:$false + name: powershell + elevation_required: false T1027.013: technique: modified: '2024-10-15T16:32:45.108Z' diff --git a/atomics/T1564.008/T1564.008.md b/atomics/T1564.008/T1564.008.md index 6ec9c9b2..331408ab 100644 --- a/atomics/T1564.008/T1564.008.md +++ b/atomics/T1564.008/T1564.008.md @@ -23,7 +23,7 @@ In some environments, administrators may be able to enable email rules that oper This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body. Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf -**Supported Platforms:** Azure-ad +**Supported Platforms:** Office-365 **auto_generated_guid:** 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9