attack_technique: T1526 display_name: Cloud Service Discovery atomic_tests: - name: Azure - Dump Subscription Data with MicroBurst auto_generated_guid: 1e40bb1d-195e-401e-a86b-c192f55e005c description: | Upon successful execution, this test will enumerate all resources that are contained within a valid Azure subscription. The resources enumerated will display on screen, as well as several csv files and folders will be output to a specified directory, listing what resources were discovered by the script. See https://dev.to/cheahengsoon/enumerating-subscription-information-with-microburst-35a1 supported_platforms: - iaas:azure input_arguments: username: description: Azure AD username type: string default: password: description: Azure AD password type: string default: T1082Az output_directory: description: Directory to output results to type: string default: $env:temp\T1526Test1 subscription_name: description: Azure subscription name to scan type: string default: dependency_executor_name: powershell dependencies: - description: | The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads. prereq_command: | if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1"){exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/Az/Get-AzDomainInfo.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1" - description: | The Az module must be installed. prereq_command: | try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} get_prereq_command: | Install-Module -Name Az -Force executor: command: | import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1" $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password Connect-AzAccount -Credential $Credential | out-null Get-AzDomainInfo -folder #{output_directory} -subscription "#{subscription_name}" -verbose cleanup_command: | remove-item #{output_directory} -recurse -force -erroraction silentlycontinue name: powershell - name: AWS - Enumerate common cloud services auto_generated_guid: aa8b9bcc-46fa-4a59-9237-73c7b93a980c description: | Upon successful execution, this test will enumerate common resources that are contained within a valid AWS account. supported_platforms: - iaas:aws input_arguments: access_key: description: AWS Access Key type: string default: "" secret_key: description: AWS Secret Key type: string default: "" session_token: description: AWS Session Token type: string default: "" profile: description: AWS profile type: string default: "" regions: description: AWS regions type: string default: us-east-1,us-east-2,us-west-1,us-west-2 output_directory: description: Directory to output results to type: string default: $env:TMPDIR/aws_discovery dependency_executor_name: powershell dependencies: - description: | The AWS PowerShell module must be installed. prereq_command: | try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} get_prereq_command: | Install-Module -Name AWSPowerShell -Force executor: command: | Import-Module "PathToAtomicsFolder\T1526\src\AWSDiscovery.ps1" $access_key = "#{access_key}" $secret_key = "#{secret_key}" $session_token = "#{session_token}" $aws_profile = "#{profile}" $regions = "#{regions}" Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile Get-AWSDiscoveryData -Regions $regions -OutputDirectory "#{output_directory}" Remove-BlankFiles -OutputDirectory "#{output_directory}" name: powershell - name: Azure - Enumerate common cloud services auto_generated_guid: 58f57c8f-db14-4e62-a4d3-5aaf556755d7 description: | Upon successful execution, this test will enumerate common resources that are contained within a valid Azure subscription. supported_platforms: - iaas:azure input_arguments: client_id: description: Azure AD client ID type: string default: client_secret: description: Azure AD client secret type: string default: tenant_id: description: Azure AD tenant ID type: string default: cloud: description: Azure cloud environment type: string default: AzureCloud output_directory: description: Directory to output results to type: string default: $env:TMPDIR/azure_discovery dependency_executor_name: powershell dependencies: - description: | The Az module must be installed. prereq_command: | try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} get_prereq_command: | Install-Module -Name Az -Force executor: command: | Import-Module "PathToAtomicsFolder\T1526\src\AzureDiscovery.ps1" $client_id = "#{client_id}" $client_secret = "#{client_secret}" $tenant_id = "#{tenant_id}" $environment = "#{cloud}" Set-AzureAuthentication -ClientID $client_id -ClientSecret $client_secret -TenantID $tenant_id -Environment $environment Get-AzureDiscoveryData -OutputDirectory "#{output_directory}" -Environment $environment Remove-BlankFiles -OutputDirectory "#{output_directory}" name: powershell