From 307665de3b6b92a1fbcecc555246739eccbb34a6 Mon Sep 17 00:00:00 2001 From: Leo Verlod <96517806+Leomon5@users.noreply.github.com> Date: Tue, 14 Jun 2022 02:23:52 -0500 Subject: [PATCH 1/2] Create T1530.yaml --- atomics/T1530/T1530.yaml | 43 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 atomics/T1530/T1530.yaml diff --git a/atomics/T1530/T1530.yaml b/atomics/T1530/T1530.yaml new file mode 100644 index 00000000..6c3c9e58 --- /dev/null +++ b/atomics/T1530/T1530.yaml @@ -0,0 +1,43 @@ +attack_technique: T1530 +display_name: Data from Cloud Storage Object +atomic_tests: +- name: Enumerate Azure Blobs with MicroBurst + description: | + Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account. + See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ . + supported_platforms: + - windows + input_arguments: + base: + description: Azure blob keyword to enumerate (Example, storage account name) + type: String + default: secure + output_file: + description: File to output results to + type: String + default: $env:temp\T1530Test1.txt + wordlist: + description: File path to keywords for search permutations + type: String + default: $env:temp\permutations.txt + dependency_executor_name: powershell + dependencies: + - description: | + The Invoke-EnumerateAzureBlobs module must exist in $env:temp. + prereq_command: | + if (test-path $env:temp\Invoke-EnumerateAzureBlobs.ps1){exit 0} else {exit 1} + get_prereq_command: | + invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "$env:temp\Invoke-EnumerateAzureBlobs.ps1" + - description: | + The wordlist file for search permutations must exist in $env:temp. + prereq_command: | + if (test-path #{wordlist}){exit 0} else {exit 1} + get_prereq_command: | + invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}" + executor: + command: | + import-module "$env:temp\Invoke-EnumerateAzureBlobs.ps1" + Invoke-EnumerateAzureBlobs -base #{base} -permutations #{wordlist} -outputfile "#{output_file}" + cleanup_command: | + remove-item #{output_file} -erroraction silentlycontinue + name: powershell From 449ddbf26673c62936a490ef3be4f2eba8ba05bd Mon Sep 17 00:00:00 2001 From: Leo Verlod <96517806+Leomon5@users.noreply.github.com> Date: Tue, 21 Jun 2022 20:34:23 -0500 Subject: [PATCH 2/2] Updating test name and supported platform --- atomics/T1530/T1530.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1530/T1530.yaml b/atomics/T1530/T1530.yaml index 6c3c9e58..22f3f2c0 100644 --- a/atomics/T1530/T1530.yaml +++ b/atomics/T1530/T1530.yaml @@ -1,12 +1,12 @@ attack_technique: T1530 display_name: Data from Cloud Storage Object atomic_tests: -- name: Enumerate Azure Blobs with MicroBurst +- name: Azure - Enumerate Azure Blobs with MicroBurst description: | Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account. See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ . supported_platforms: - - windows + - iaas:azure input_arguments: base: description: Azure blob keyword to enumerate (Example, storage account name)