security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d5f38ebebdeef475aa03e251c68452b31e5e820
atomic-red-team/atomics/T1526/T1526.yaml
T
Atomic Red Team doc generator 6d5f38ebeb Generated docs from job=generate-docs branch=master [ci skip]
2025-01-03 22:28:45 +00:00

151 lines
5.9 KiB
YAML
Raw Blame History

attack_technique: T1526
display_name: Cloud Service Discovery
atomic_tests:
- name: Azure - Dump Subscription Data with MicroBurst
auto_generated_guid: 1e40bb1d-195e-401e-a86b-c192f55e005c
description: |
Upon successful execution, this test will enumerate all resources that are contained within a valid Azure subscription.
The resources enumerated will display on screen, as well as several csv files and folders will be output to a specified directory, listing what resources were discovered by the script.
See https://dev.to/cheahengsoon/enumerating-subscription-information-with-microburst-35a1
supported_platforms:
- iaas:azure
input_arguments:
username:
description: Azure AD username
type: string
default:
password:
description: Azure AD password
type: string
default: T1082Az
output_directory:
description: Directory to output results to
type: string
default: $env:temp\T1526Test1
subscription_name:
description: Azure subscription name to scan
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads.
prereq_command: |
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1"){exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/Az/Get-AzDomainInfo.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1"
- description: |
The Az module must be installed.
prereq_command: |
try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name Az -Force
executor:
command: |
import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1"
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-AzAccount -Credential $Credential | out-null
Get-AzDomainInfo -folder #{output_directory} -subscription "#{subscription_name}" -verbose
cleanup_command: |
remove-item #{output_directory} -recurse -force -erroraction silentlycontinue
name: powershell
- name: AWS - Enumerate common cloud services
auto_generated_guid: aa8b9bcc-46fa-4a59-9237-73c7b93a980c
description: |
Upon successful execution, this test will enumerate common resources that are contained within a valid AWS account.
supported_platforms:
- iaas:aws
input_arguments:
access_key:
description: AWS Access Key
type: string
default: ""
secret_key:
description: AWS Secret Key
type: string
default: ""
session_token:
description: AWS Session Token
type: string
default: ""
profile:
description: AWS profile
type: string
default: ""
regions:
description: AWS regions
type: string
default: us-east-1,us-east-2,us-west-1,us-west-2
output_directory:
description: Directory to output results to
type: string
default: $env:TMPDIR/aws_discovery
dependency_executor_name: powershell
dependencies:
- description: |
The AWS PowerShell module must be installed.
prereq_command: |
try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name AWSPowerShell -Force
executor:
command: |
Import-Module "PathToAtomicsFolder\T1526\src\AWSDiscovery.ps1"
$access_key = "#{access_key}"
$secret_key = "#{secret_key}"
$session_token = "#{session_token}"
$aws_profile = "#{profile}"
$regions = "#{regions}"
Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile
Get-AWSDiscoveryData -Regions $regions -OutputDirectory "#{output_directory}"
Remove-BlankFiles -OutputDirectory "#{output_directory}"
name: powershell
- name: Azure - Enumerate common cloud services
auto_generated_guid: 58f57c8f-db14-4e62-a4d3-5aaf556755d7
description: |
Upon successful execution, this test will enumerate common resources that are contained within a valid Azure subscription.
supported_platforms:
- iaas:azure
input_arguments:
client_id:
description: Azure AD client ID
type: string
default:
client_secret:
description: Azure AD client secret
type: string
default:
tenant_id:
description: Azure AD tenant ID
type: string
default:
cloud:
description: Azure cloud environment
type: string
default: AzureCloud
output_directory:
description: Directory to output results to
type: string
default: $env:TMPDIR/azure_discovery
dependency_executor_name: powershell
dependencies:
- description: |
The Az module must be installed.
prereq_command: |
try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
get_prereq_command: |
Install-Module -Name Az -Force
executor:
command: |
Import-Module "PathToAtomicsFolder\T1526\src\AzureDiscovery.ps1"
$client_id = "#{client_id}"
$client_secret = "#{client_secret}"
$tenant_id = "#{tenant_id}"
$environment = "#{cloud}"
Set-AzureAuthentication -ClientID $client_id -ClientSecret $client_secret -TenantID $tenant_id -Environment $environment
Get-AzureDiscoveryData -OutputDirectory "#{output_directory}" -Environment $environment
Remove-BlankFiles -OutputDirectory "#{output_directory}"
name: powershell
Reference in New Issue View Git Blame Copy Permalink