za
1015 lines
52 KiB
YAML
1015 lines
52 KiB
YAML
attack_technique: T1098
|
|
display_name: Account Manipulation
|
|
atomic_tests:
|
|
- name: Admin Account Manipulate
|
|
auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af
|
|
description: |
|
|
Manipulate Admin Account Name
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
$x = Get-Random -Minimum 2 -Maximum 9999
|
|
$y = Get-Random -Minimum 2 -Maximum 9999
|
|
$z = Get-Random -Minimum 2 -Maximum 9999
|
|
$w = Get-Random -Minimum 2 -Maximum 9999
|
|
Write-Host HaHa_$x$y$z
|
|
|
|
$fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match "User" -and $_.PrincipalSource -match "Local"} | Select Name
|
|
|
|
foreach($member in $fmm) {
|
|
if($member -like "*Administrator*") {
|
|
$account = $member.Name.Split("\")[-1] # strip computername\
|
|
$originalDescription = (Get-LocalUser -Name $account).Description
|
|
Set-LocalUser -Name $account -Description "atr:$account;$originalDescription".Substring(0,48) # Keep original name in description
|
|
Rename-LocalUser -Name $account -NewName "HaHa_$x$y$z" # Required due to length limitation
|
|
Write-Host "Successfully Renamed $account Account on " $Env:COMPUTERNAME
|
|
}
|
|
}
|
|
cleanup_command: |
|
|
$list = Get-LocalUser |?{$_.Description -like "atr:*"}
|
|
foreach($u in $list) {
|
|
$u.Description -match "atr:(?<Name>[^;]+);(?<Description>.*)"
|
|
Set-LocalUser -Name $u.Name -Description $Matches.Description
|
|
Rename-LocalUser -Name $u.Name -NewName $Matches.Name
|
|
Write-Host "Successfully Reverted Account $($u.Name) to $($Matches.Name) on " $Env:COMPUTERNAME
|
|
}
|
|
name: powershell
|
|
elevation_required: true
|
|
|
|
- name: Domain Account and Group Manipulate
|
|
auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
|
|
description: |
|
|
Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins).
|
|
|
|
The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
|
|
you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to
|
|
create the user and alter the group. Automatic installation of the dependency requires an elevated session,
|
|
and is unlikely to work with Powershell Core (untested).
|
|
|
|
If you consider running this test against a production Active Directory, the good practise is to create a dedicated
|
|
service account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated
|
|
as group manager of the target group.
|
|
|
|
Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }`
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
account_prefix:
|
|
description: |
|
|
Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
|
|
a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful.
|
|
type: string
|
|
default: atr-
|
|
group:
|
|
description: Name of the group to alter
|
|
type: string
|
|
default: "Domain Admins"
|
|
create_args:
|
|
description: Additional string appended to New-ADUser call
|
|
type: string
|
|
default: ""
|
|
dependencies:
|
|
- description: |
|
|
PS Module ActiveDirectory
|
|
prereq_command: |
|
|
Try {
|
|
Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
|
|
exit 0
|
|
}
|
|
Catch {
|
|
exit 1
|
|
}
|
|
get_prereq_command: |
|
|
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
|
|
Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
|
|
} else {
|
|
Install-WindowsFeature RSAT-AD-PowerShell
|
|
}
|
|
executor:
|
|
command: |
|
|
$x = Get-Random -Minimum 2 -Maximum 99
|
|
$y = Get-Random -Minimum 2 -Maximum 99
|
|
$z = Get-Random -Minimum 2 -Maximum 99
|
|
$w = Get-Random -Minimum 2 -Maximum 99
|
|
|
|
Import-Module ActiveDirectory
|
|
$account = "#{account_prefix}-$x$y$z"
|
|
New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
|
|
Add-ADGroupMember "#{group}" $account
|
|
cleanup_command: |
|
|
Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False
|
|
name: powershell
|
|
|
|
- name: AWS - Create a group and add a user to that group
|
|
auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
|
|
description: |
|
|
Adversaries create AWS group, add users to specific to that group to elevate their privileges to gain more accesss
|
|
supported_platforms:
|
|
- iaas:aws
|
|
input_arguments:
|
|
username:
|
|
description: Name of the AWS group to create
|
|
type: string
|
|
default: "atomicredteam"
|
|
dependencies:
|
|
- description: |
|
|
Check if the user exists, we can only add a user to a group if the user exists.
|
|
prereq_command: |
|
|
aws iam list-users | grep #{username}
|
|
get_prereq_command: |
|
|
echo Please run atomic test T1136.003, before running this atomic test
|
|
executor:
|
|
command: |
|
|
aws iam create-group --group-name #{username}
|
|
aws iam add-user-to-group --user-name #{username} --group-name #{username}
|
|
cleanup_command: |
|
|
aws iam remove-user-from-group --user-name #{username} --group-name #{username}
|
|
aws iam delete-group --group-name #{username}
|
|
name: sh
|
|
|
|
- name: Azure AD - adding user to Azure AD role
|
|
auto_generated_guid: 0e65ae27-5385-46b4-98ac-607a8ee82261
|
|
description: |
|
|
The adversaries want to add user to some Azure AD role. Threat actor
|
|
may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
|
|
Privileged Authentication Administrator (this role can reset Global Administrator password!).
|
|
By default, the role Global Reader is assigned to the user principal in this test.
|
|
|
|
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
|
|
|
|
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
|
|
supported_platforms:
|
|
- azure-ad
|
|
input_arguments:
|
|
username:
|
|
description: Azure AD username
|
|
type: string
|
|
default: jonh@contoso.com
|
|
password:
|
|
description: Azure AD password
|
|
type: string
|
|
default: p4sswd
|
|
user_principal_name:
|
|
description: Display Name, or User Principal Name, of the targeted user principal
|
|
type: string
|
|
default: SuperUser
|
|
role_name:
|
|
description: Name of the targeted Azure AD role
|
|
type: string
|
|
default: Global Reader
|
|
dependencies:
|
|
- description: |
|
|
AzureAD module must be installed.
|
|
prereq_command: |
|
|
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
|
|
get_prereq_command: |
|
|
Install-Module -Name AzureAD -Force
|
|
executor:
|
|
command: |
|
|
Import-Module -Name AzureAD
|
|
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
|
|
Connect-AzureAD -Credential $Credential
|
|
|
|
$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
|
|
if ($user -eq $null) { Write-Warning "User not found"; exit }
|
|
$role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
|
|
if ($role -eq $null) { Write-Warning "Role not found"; exit }
|
|
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
|
|
Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
|
|
cleanup_command: |
|
|
Import-Module -Name AzureAD -ErrorAction Ignore
|
|
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
|
|
Connect-AzureAD -Credential $Credential -ErrorAction Ignore
|
|
|
|
$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
|
|
if ($user -eq $null) { Write-Warning "User not found"; exit }
|
|
$role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
|
|
if ($role -eq $null) { Write-Warning "Role not found"; exit }
|
|
|
|
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
|
|
Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
|
|
name: powershell
|
|
elevation_required: false
|
|
|
|
- name: Azure AD - adding service principal to Azure AD role
|
|
auto_generated_guid: 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
|
|
description: |
|
|
The adversaries want to add service principal to some Azure AD role. Threat actor
|
|
may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
|
|
Privileged Authentication Administrator (this role can reset Global Administrator password!).
|
|
By default, the role Global Reader is assigned to service principal in this test.
|
|
|
|
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
|
|
|
|
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
|
|
supported_platforms:
|
|
- azure-ad
|
|
input_arguments:
|
|
username:
|
|
description: Azure AD username
|
|
type: string
|
|
default: jonh@contoso.com
|
|
password:
|
|
description: Azure AD password
|
|
type: string
|
|
default: p4sswd
|
|
service_principal_name:
|
|
description: Name of the service principal
|
|
type: string
|
|
default: SuperSP
|
|
role_name:
|
|
description: Name of the targeted Azure AD role
|
|
type: string
|
|
default: Global Reader
|
|
dependencies:
|
|
- description: |
|
|
AzureAD module must be installed.
|
|
prereq_command: |
|
|
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
|
|
get_prereq_command: |
|
|
Install-Module -Name AzureAD -Force
|
|
executor:
|
|
command: |
|
|
Import-Module -Name AzureAD
|
|
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
|
|
Connect-AzureAD -Credential $Credential
|
|
|
|
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '#{service_principal_name}'"
|
|
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
|
|
$role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
|
|
if ($role -eq $null) { Write-Warning "Role not found"; exit }
|
|
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
|
|
Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
|
|
cleanup_command: |
|
|
Import-Module -Name AzureAD -ErrorAction Ignore
|
|
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
|
|
Connect-AzureAD -Credential $Credential -ErrorAction Ignore
|
|
|
|
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '#{service_principal_name}'"
|
|
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
|
|
$role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
|
|
if ($role -eq $null) { Write-Warning "Role not found"; exit }
|
|
|
|
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
|
|
Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
|
|
name: powershell
|
|
elevation_required: false
|
|
|
|
- name: Azure - adding user to Azure role in subscription
|
|
auto_generated_guid: 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
|
|
description: |
|
|
The adversaries want to add user to some Azure role, also called Azure resource role. Threat actor
|
|
may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
|
|
By default, the role Reader is assigned to user in this test.
|
|
|
|
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
|
|
|
|
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
|
|
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
|
|
and Microsoft Graph Directory.Read.All permissions.
|
|
|
|
Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
|
|
supported_platforms:
|
|
- iaas:azure
|
|
input_arguments:
|
|
username:
|
|
description: Azure AD username
|
|
type: string
|
|
default: jonh@contoso.com
|
|
password:
|
|
description: Azure AD password
|
|
type: string
|
|
default: p4sswd
|
|
user_principal_name:
|
|
description: Display Name, or User Principal Name, of the targeted user principal
|
|
type: string
|
|
default: SuperUser
|
|
role_name:
|
|
description: Name of the targeted Azure role
|
|
type: string
|
|
default: Reader
|
|
subscription:
|
|
description: Name of the targeted subscription
|
|
type: string
|
|
default: Azure subscription 1
|
|
dependencies:
|
|
- description: |
|
|
Az.Resources module must be installed.
|
|
prereq_command: |
|
|
try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
|
|
get_prereq_command: |
|
|
Install-Module -Name Az.Resources -Force
|
|
executor:
|
|
command: |
|
|
Import-Module -Name Az.Resources
|
|
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
|
|
Connect-AzAccount -Credential $Credential
|
|
|
|
$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
|
|
if ($user -eq $null) { Write-Warning "User not found"; exit }
|
|
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
|
|
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
|
|
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
|
|
if ($role -eq $null) { Write-Warning "Role not found"; exit }
|
|
|
|
New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
|
|
Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
|
|
cleanup_command: |
|
|
Import-Module -Name AzureAD -ErrorAction Ignore
|
|
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
|
|
Connect-AzAccount -Credential $Credential -ErrorAction Ignore
|
|
|
|
$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
|
|
if ($user -eq $null) { Write-Warning "User not found"; exit }
|
|
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
|
|
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
|
|
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
|
|
if ($role -eq $null) { Write-Warning "Role not found"; exit }
|
|
|
|
Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
|
|
Write-Host "User Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
|
|
name: powershell
|
|
elevation_required: false
|
|
|
|
- name: Azure - adding service principal to Azure role in subscription
|
|
auto_generated_guid: c8f4bc29-a151-48da-b3be-4680af56f404
|
|
description: |
|
|
The adversaries want to add service principal to some Azure role, also called Azure resource role. Threat actor
|
|
may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
|
|
By default, the role Reader is assigned to service principal in this test.
|
|
|
|
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
|
|
|
|
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
|
|
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
|
|
and Microsoft Graph Directory.Read.All permissions.
|
|
|
|
Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
|
|
supported_platforms:
|
|
- iaas:azure
|
|
input_arguments:
|
|
username:
|
|
description: Azure AD username
|
|
type: string
|
|
default: jonh@contoso.com
|
|
password:
|
|
description: Azure AD password
|
|
type: string
|
|
default: p4sswd
|
|
service_principal_name:
|
|
description: Name of the service principal
|
|
type: string
|
|
default: SuperSP
|
|
role_name:
|
|
description: Name of the targeted Azure role
|
|
type: string
|
|
default: Reader
|
|
subscription:
|
|
description: Name of the targeted subscription
|
|
type: string
|
|
default: Azure subscription 1
|
|
dependencies:
|
|
- description: |
|
|
Az.Resources module must be installed.
|
|
prereq_command: |
|
|
try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
|
|
get_prereq_command: |
|
|
Install-Module -Name Az.Resources -Force
|
|
executor:
|
|
command: |
|
|
Import-Module -Name Az.Resources
|
|
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
|
|
Connect-AzAccount -Credential $Credential
|
|
|
|
$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
|
|
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
|
|
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
|
|
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
|
|
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
|
|
if ($role -eq $null) { Write-Warning "Role not found"; exit }
|
|
|
|
New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
|
|
Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
|
|
cleanup_command: |
|
|
Import-Module -Name AzureAD -ErrorAction Ignore
|
|
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
|
|
Connect-AzAccount -Credential $Credential -ErrorAction Ignore
|
|
|
|
$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
|
|
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
|
|
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
|
|
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
|
|
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
|
|
if ($role -eq $null) { Write-Warning "Role not found"; exit }
|
|
|
|
Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
|
|
Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
|
|
name: powershell
|
|
elevation_required: false
|
|
|
|
- name: Azure AD - adding permission to application
|
|
auto_generated_guid: 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
|
|
description: |
|
|
The adversaries want to add permission to newly created application. Application could be then used for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
|
|
This technique will create a new app, with the provided name, and give it the provided permission. But if you prefer to add credentials to an existing app, replace in the code: "Get-AzureADApplication" instead of "New-AzureADServicePrincipal".
|
|
The DirectoryRecommendations.Read.All permissions has been selected as the default.
|
|
|
|
The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
|
|
|
|
Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
|
|
You can also take a look at the materials:
|
|
https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
|
|
https://github.com/reprise99/Sentinel-Queries
|
|
https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
|
|
https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
|
|
supported_platforms:
|
|
- azure-ad
|
|
input_arguments:
|
|
username:
|
|
description: Azure AD username
|
|
type: string
|
|
default: jonh@contoso.com
|
|
password:
|
|
description: Azure AD password
|
|
type: string
|
|
default: p4sswd
|
|
application_name:
|
|
description: Name of the targeted application that will be created
|
|
type: string
|
|
default: test_app
|
|
application_permission:
|
|
description: Permission from Microsoft Graph Resource API that will be added to application
|
|
type: string
|
|
default: DirectoryRecommendations.Read.All
|
|
dependencies:
|
|
- description: |
|
|
AzureAD module must be installed.
|
|
prereq_command: |
|
|
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
|
|
get_prereq_command: |
|
|
Install-Module -Name AzureAD -Force
|
|
executor:
|
|
command: |
|
|
Import-Module -Name AzureAD
|
|
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
|
|
Connect-AzureAD -Credential $Credential
|
|
|
|
$aadApplication = New-AzureADApplication -DisplayName "#{application_name}"
|
|
$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId
|
|
#$aadApplication = Get-AzureADApplication -Filter "DisplayName eq '#{application_name}'"
|
|
|
|
#Get Service Principal of Microsoft Graph Resource API
|
|
$graphSP = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
|
|
|
|
#Initialize RequiredResourceAccess for Microsoft Graph Resource API
|
|
$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
|
|
$requiredGraphAccess.ResourceAppId = $graphSP.AppId
|
|
$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
|
|
|
|
#Set Application Permissions
|
|
$ApplicationPermissions = @('#{application_permission}')
|
|
|
|
$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}
|
|
if($reqPermission)
|
|
{
|
|
$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
|
|
$resourceAccess.Type = "Role"
|
|
$resourceAccess.Id = $reqPermission.Id
|
|
#Add required app permission
|
|
$requiredGraphAccess.ResourceAccess.Add($resourceAccess)
|
|
}
|
|
else
|
|
{
|
|
Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
|
|
}
|
|
|
|
#Add required resource accesses
|
|
$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
|
|
$requiredResourcesAccess.Add($requiredGraphAccess)
|
|
|
|
#Set permissions in existing Azure AD App
|
|
Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
|
|
|
|
$servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '$($aadApplication.AppId)'"
|
|
|
|
New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id
|
|
|
|
cleanup_command: |
|
|
Import-Module -Name AzureAD
|
|
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
|
|
Connect-AzureAD -Credential $Credential
|
|
|
|
$aadApplication = @(Get-AzureADApplication -Filter "DisplayName eq '#{application_name}'")
|
|
If ($aadApplication.Count -eq 0)
|
|
{
|
|
Write-Host "App not found: cannot delete it"
|
|
exit
|
|
}
|
|
ElseIf ($aadApplication.Count -gt 1)
|
|
{
|
|
Write-Host "Found several app with name '#{application_name}': one is likely the one this technique created, but as a precaution, none will be deleted. Manual cleanup is required."
|
|
exit
|
|
}
|
|
Else
|
|
{
|
|
Remove-AzureADApplication -ObjectId $aadApplication[0].ObjectId
|
|
Write-Host "Successfully deleted app"
|
|
}
|
|
|
|
name: powershell
|
|
elevation_required: false
|
|
- name: Password Change on Directory Service Restore Mode (DSRM) Account
|
|
auto_generated_guid: d5b886d9-d1c7-4b6e-a7b0-460041bf2823
|
|
|
|
description: |
|
|
Change the password on the Directory Service Restore Mode (DSRM) account using ntdsutil by syncing to existing account
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
sync_account:
|
|
description: Account to sync password from
|
|
type: string
|
|
default: '%username%'
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: true
|
|
command: |
|
|
ntdsutil "set dsrm password" "sync from domain account #{sync_account}" "q" "q"
|
|
|
|
- name: 'Domain Password Policy Check: Short Password'
|
|
auto_generated_guid: fc5f9414-bd67-4f5f-a08e-e5381e29cbd1
|
|
description: |
|
|
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
|
|
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
|
|
password policy will likely prevent you from setting the password back to what it was.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
new_password:
|
|
description: The password to set for the current domain user (default value is 7 characters)
|
|
type: string
|
|
default: Uplow-1
|
|
cred_file:
|
|
description: A file containing the password of the current user
|
|
type: path
|
|
default: '$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt'
|
|
dependencies:
|
|
- description: |
|
|
Password for current user must be stored in a credential file
|
|
prereq_command: |
|
|
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
|
|
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
|
|
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
$credFile = "#{cred_file}"
|
|
if (Test-Path $credFile) {
|
|
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
|
|
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
|
|
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
|
|
}
|
|
try {
|
|
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
|
|
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
|
|
}
|
|
catch {
|
|
$_.Exception
|
|
$errCode = $_.Exception.ErrorCode
|
|
Write-Host "Error code: $errCode"
|
|
if ($errCode -eq 86) {
|
|
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
|
|
Remove-Item $credFile
|
|
}
|
|
exit $errCode
|
|
}
|
|
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
|
|
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
|
|
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
|
|
}
|
|
else {
|
|
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
|
|
}
|
|
|
|
- name: 'Domain Password Policy Check: No Number in Password'
|
|
auto_generated_guid: 68190529-069b-4ffc-a942-919704158065
|
|
description: |
|
|
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
|
|
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
|
|
password policy will likely prevent you from setting the password back to what it was.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
new_password:
|
|
description: The password to set for the current domain user (default is long and has upper and lower case and special character but no number)
|
|
type: string
|
|
default: UpperLowerLong-special
|
|
cred_file:
|
|
description: A file containing the password of the current user
|
|
type: path
|
|
default: '$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt'
|
|
dependencies:
|
|
- description: |
|
|
Password for current user must be stored in a credential file
|
|
prereq_command: |
|
|
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
|
|
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
|
|
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
$credFile = "#{cred_file}"
|
|
if (Test-Path $credFile) {
|
|
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
|
|
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
|
|
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
|
|
}
|
|
try {
|
|
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
|
|
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
|
|
}
|
|
catch {
|
|
$_.Exception
|
|
$errCode = $_.Exception.ErrorCode
|
|
Write-Host "Error code: $errCode"
|
|
if ($errCode -eq 86) {
|
|
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
|
|
Remove-Item $credFile
|
|
}
|
|
exit $errCode
|
|
}
|
|
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
|
|
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
|
|
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
|
|
}
|
|
else {
|
|
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
|
|
}
|
|
|
|
- name: 'Domain Password Policy Check: No Special Character in Password'
|
|
auto_generated_guid: 7d984ef2-2db2-4cec-b090-e637e1698f61
|
|
description: |
|
|
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
|
|
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
|
|
password policy will likely prevent you from setting the password back to what it was.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
new_password:
|
|
description: The password to set for the current domain user (default is long and has upper and lower case and number but no special character)
|
|
type: string
|
|
default: UpperLowerLong333noSpecialChar
|
|
cred_file:
|
|
description: A file containing the password of the current user
|
|
type: path
|
|
default: '$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt'
|
|
dependencies:
|
|
- description: |
|
|
Password for current user must be stored in a credential file
|
|
prereq_command: |
|
|
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
|
|
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
|
|
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
$credFile = "#{cred_file}"
|
|
if (Test-Path $credFile) {
|
|
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
|
|
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
|
|
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
|
|
}
|
|
try {
|
|
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
|
|
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
|
|
}
|
|
catch {
|
|
$_.Exception
|
|
$errCode = $_.Exception.ErrorCode
|
|
Write-Host "Error code: $errCode"
|
|
if ($errCode -eq 86) {
|
|
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
|
|
Remove-Item $credFile
|
|
}
|
|
exit $errCode
|
|
}
|
|
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
|
|
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
|
|
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
|
|
}
|
|
else {
|
|
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
|
|
}
|
|
|
|
- name: 'Domain Password Policy Check: No Uppercase Character in Password'
|
|
auto_generated_guid: b299c120-44a7-4d68-b8e2-8ba5a28511ec
|
|
description: |
|
|
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
|
|
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
|
|
password policy will likely prevent you from setting the password back to what it was.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
new_password:
|
|
description: The password to set for the current domain user (default is long and has and lower case and special character and number but no uppercase)
|
|
type: string
|
|
default: lower-long-special-333
|
|
cred_file:
|
|
description: A file containing the password of the current user
|
|
type: path
|
|
default: '$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt'
|
|
dependencies:
|
|
- description: |
|
|
Password for current user must be stored in a credential file
|
|
prereq_command: |
|
|
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
|
|
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
|
|
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
$credFile = "#{cred_file}"
|
|
if (Test-Path $credFile) {
|
|
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
|
|
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
|
|
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
|
|
}
|
|
try {
|
|
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
|
|
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
|
|
}
|
|
catch {
|
|
$_.Exception
|
|
$errCode = $_.Exception.ErrorCode
|
|
Write-Host "Error code: $errCode"
|
|
if ($errCode -eq 86) {
|
|
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
|
|
Remove-Item $credFile
|
|
}
|
|
exit $errCode
|
|
}
|
|
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
|
|
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
|
|
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
|
|
}
|
|
else {
|
|
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
|
|
}
|
|
|
|
- name: 'Domain Password Policy Check: No Lowercase Character in Password'
|
|
auto_generated_guid: 945da11e-977e-4dab-85d2-f394d03c5887
|
|
description: |
|
|
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
|
|
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
|
|
password policy will likely prevent you from setting the password back to what it was.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
new_password:
|
|
description: The password to set for the current domain user (default is long and has and upper case and special character and number but no lowercase)
|
|
type: string
|
|
default: UPPER-LONG-SPECIAL-333
|
|
cred_file:
|
|
description: A file containing the password of the current user
|
|
type: path
|
|
default: '$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt'
|
|
dependencies:
|
|
- description: |
|
|
Password for current user must be stored in a credential file
|
|
prereq_command: |
|
|
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
|
|
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
|
|
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
$credFile = "#{cred_file}"
|
|
if (Test-Path $credFile) {
|
|
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
|
|
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
|
|
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
|
|
}
|
|
try {
|
|
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
|
|
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
|
|
}
|
|
catch {
|
|
$_.Exception
|
|
$errCode = $_.Exception.ErrorCode
|
|
Write-Host "Error code: $errCode"
|
|
if ($errCode -eq 86) {
|
|
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
|
|
Remove-Item $credFile
|
|
}
|
|
exit $errCode
|
|
}
|
|
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
|
|
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
|
|
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
|
|
}
|
|
else {
|
|
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
|
|
}
|
|
|
|
- name: 'Domain Password Policy Check: Only Two Character Classes'
|
|
auto_generated_guid: 784d1349-5a26-4d20-af5e-d6af53bae460
|
|
description: |
|
|
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
|
|
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
|
|
password policy will likely prevent you from setting the password back to what it was.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
new_password:
|
|
description: The password to set for the current domain user (default has only upper and lower case characters)
|
|
type: string
|
|
default: onlyUPandLowChars
|
|
cred_file:
|
|
description: A file containing the password of the current user
|
|
type: path
|
|
default: '$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt'
|
|
dependencies:
|
|
- description: |
|
|
Password for current user must be stored in a credential file
|
|
prereq_command: |
|
|
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
|
|
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
|
|
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
$credFile = "#{cred_file}"
|
|
if (Test-Path $credFile) {
|
|
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
|
|
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
|
|
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
|
|
}
|
|
try {
|
|
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
|
|
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
|
|
}
|
|
catch {
|
|
$_.Exception
|
|
$errCode = $_.Exception.ErrorCode
|
|
Write-Host "Error code: $errCode"
|
|
if ($errCode -eq 86) {
|
|
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
|
|
Remove-Item $credFile
|
|
}
|
|
exit $errCode
|
|
}
|
|
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
|
|
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
|
|
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
|
|
}
|
|
else {
|
|
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
|
|
}
|
|
|
|
- name: 'Domain Password Policy Check: Common Password Use'
|
|
auto_generated_guid: 81959d03-c51f-49a1-bb24-23f1ec885578
|
|
description: |
|
|
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
|
|
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
|
|
password policy will likely prevent you from setting the password back to what it was.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
new_password:
|
|
description: The password to set for the current domain user (default is Season and current year combo)
|
|
type: string
|
|
default: Spring$((Get-Date).Year)!
|
|
cred_file:
|
|
description: A file containing the password of the current user
|
|
type: path
|
|
default: '$env:LOCALAPPDATA\AtomicRedTeam\$env:USERNAME.txt'
|
|
dependencies:
|
|
- description: |
|
|
Password for current user must be stored in a credential file
|
|
prereq_command: |
|
|
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
|
|
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
|
|
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
$credFile = "#{cred_file}"
|
|
if (Test-Path $credFile) {
|
|
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
|
|
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
|
|
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
|
|
}
|
|
try {
|
|
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
|
|
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
|
|
}
|
|
catch {
|
|
$_.Exception
|
|
$errCode = $_.Exception.ErrorCode
|
|
Write-Host "Error code: $errCode"
|
|
if ($errCode -eq 86) {
|
|
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
|
|
Remove-Item $credFile
|
|
}
|
|
exit $errCode
|
|
}
|
|
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
|
|
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
|
|
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
|
|
}
|
|
else {
|
|
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
|
|
}
|
|
- name: GCP - Delete Service Account Key
|
|
auto_generated_guid: 7ece1dea-49f1-4d62-bdcc-5801e3292510
|
|
description: |
|
|
This Atomic will:
|
|
- Create a service account
|
|
- Create a service account key,
|
|
- Store the result of retrieving a single key for that service account as a variable
|
|
- Pass that variable for deletion
|
|
- Delete the service account
|
|
|
|
The idea for this Atomic came from a Rule published by the Elastic team.
|
|
|
|
Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP).
|
|
Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate.
|
|
If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.
|
|
|
|
Reference: https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
|
|
supported_platforms:
|
|
- iaas:gcp
|
|
input_arguments:
|
|
project_id:
|
|
description: ID of the GCP Project you to execute the command against.
|
|
type: string
|
|
default: atomic-test-1
|
|
service_name:
|
|
description: The name of the service account.
|
|
type: string
|
|
default: atomic-service-account
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
gcloud config set project #{project_id}
|
|
KEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1`
|
|
gcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet
|
|
cleanup_command: |
|
|
cd "$PathToAtomicsFolder/T1098/src/T1098-17/"
|
|
terraform state rm google_service_account_key.key
|
|
terraform destroy -auto-approve
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
Requires gcloud
|
|
prereq_command: |
|
|
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
|
|
- description: |
|
|
Check if user is logged in
|
|
prereq_command: |
|
|
gcloud config get-value account
|
|
get_prereq_command: |
|
|
gcloud auth login --no-launch-browser
|
|
- description: |
|
|
Check if terraform is installed.
|
|
prereq_command: |
|
|
terraform version
|
|
get_prereq_command: |
|
|
echo Please install the terraform.
|
|
- description: |
|
|
Create dependency resources using terraform
|
|
prereq_command: |
|
|
stat "$PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate"
|
|
get_prereq_command: |
|
|
cd "$PathToAtomicsFolder/T1098/src/T1098-17/"
|
|
terraform init
|
|
terraform apply -auto-approve
|