Generated docs from job=generate-docs branch=master [ci skip]

2022-07-11 20:36:47 +00:00
parent 2bb69eca3d
commit f816531cc0
6 changed files with 98 additions and 0 deletions
@@ -808,6 +808,7 @@ collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShe
 collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
 collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
+collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -96,6 +96,7 @@ collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28f
 collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
+collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -1392,6 +1392,7 @@
  - Atomic Test #4: Collect Clipboard Data via VBA [windows]
 - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
  - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
+  - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
@@ -224,6 +224,7 @@
 - T1115 Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
  - Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
+  - Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
 - T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
@@ -64236,6 +64236,48 @@ collection:
          Invoke-EnumerateAzureBlobs -base #{base} -permutations #{wordlist} -outputfile "#{output_file}"
        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue

+          '
+        name: powershell
+    - name: Azure - Scan for Anonymous Access to Azure Storage (Powershell)
+      auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
+      description: "Upon successful execution, this test will test for anonymous access
+        to Azure storage containers by invoking a web request and outputting the results
+        to a file. \nThe corresponding response could then be interpreted to determine
+        whether or not the resource/container exists, as well as other information.
+        \nSee https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
+        \    \n"
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        base_name:
+          description: Azure storage account name to test
+          type: String
+          default: T1530Test2
+        output_file:
+          description: File to output results to
+          type: String
+          default: "$env:temp\\T1530Test2.txt"
+        container_name:
+          description: Container name to search for (optional)
+          type: String
+          default: 
+        blob_name:
+          description: Blob name to search for (optional)
+          type: String
+          default: 
+      executor:
+        command: |
+          try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
+          catch [system.net.webexception]
+          {if($_.Exception.Response -ne $null)
+          {$Response = $_.Exception.Response.GetResponseStream()
+          $ReadResponse = New-Object System.IO.StreamReader($Response)
+          $ReadResponse.BaseStream.Position = 0
+          $responseBody = $ReadResponse.ReadToEnd()}
+          else {$responseBody = "The storage account could not be anonymously accessed."}}
+          "Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
+        cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
+
          '
        name: powershell
  T1074.002:
@@ -10,6 +10,8 @@ Misconfiguration by end users is a common problem. There have been numerous inci

 - [Atomic Test #1 - Azure - Enumerate Azure Blobs with MicroBurst](#atomic-test-1---azure---enumerate-azure-blobs-with-microburst)

+- [Atomic Test #2 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)](#atomic-test-2---azure---scan-for-anonymous-access-to-azure-storage-powershell)
+

 <br/>

@@ -72,4 +74,54 @@ invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4



+<br/>
+<br/>
+
+## Atomic Test #2 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)
+Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file. 
+The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information. 
+See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 146af1f1-b74e-4aa7-9895-505eb559b4b0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| base_name | Azure storage account name to test | String | T1530Test2|
+| output_file | File to output results to | String | $env:temp&#92;T1530Test2.txt|
+| container_name | Container name to search for (optional) | String | |
+| blob_name | Blob name to search for (optional) | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
+catch [system.net.webexception]
+{if($_.Exception.Response -ne $null)
+{$Response = $_.Exception.Response.GetResponseStream()
+$ReadResponse = New-Object System.IO.StreamReader($Response)
+$ReadResponse.BaseStream.Position = 0
+$responseBody = $ReadResponse.ReadToEnd()}
+else {$responseBody = "The storage account could not be anonymously accessed."}}
+"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item #{output_file} -erroraction silentlycontinue
+```
+
+
+
+
+
 <br/>