Fairly straight forward to deploy a container.
Details:
There was no test case for deploying a container in the atomic-red team and I was working with atomic red team so thought to create a pr for this feature
Testing:
Tested using ubuntu as the base image. It creates an image and runs that image to check that image is deployed properly.
It may take up to a couple of minutes to run due to image creation. If it hangs for longer than a minute, something went wrong.
Associated Issues:
None
Fairly straight forward way to execute into a container.
Details:
The test was created for kubernetes and mitre framework also mentioned about docker. So created a second test for the same.
Testing:
Tested using ubuntuas the base image. If using just Docker, run the container(already present in the script) and execute the testcase.
It may take up to a minute to run due to image creation. If it hangs for longer than a minute, something went wrong.
Associated Issues:
None
* Remote System Discovery - net group Domain Controller
Identify remote systems with net.exe querying the Active Directory Domain Controller. Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Controller" in the domain. Output will be via stdout.
* Update T1018.yaml
* Update T1018.yaml
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
The issue was that "Get-AzureADServicePrincipal" and "Get-AzureADApplication" may return several results matching the provided name which is not handled properly by the code which will crash. The solution is to select only the first object.
I took the opportunity for a couple minor improvements in the code of those two tests.
Azure AD has two kinds of federated domains. The one that can be used to authenticate on AAD, as an AAD user, and the one that can be used to authenticate as a guest user (also called external identity).
The current implementation of the attack seems to work but actually it uses the cmdlets to create a federated domain for external identities which is not the thing we want to showcase this ATT&CK technique. Since such a federated domain does not allow to authenticate as an AAD user.
Sorry for missing this when I supervised the initial work on this ART test.
Newest method uses AADInternals which is a popular attack framework for AAD and which offers exactly the cmdlet we need.
aman143kri