Skip to content

Supported Techniques

mvelazco edited this page Dec 17, 2024 · 22 revisions

read_email

  • Supported Methods: Graph, EWS
  • Description: Simulates the action of reading emails from a specified mailbox, demonstrating data access and potential exfiltration capabilities.
  • Execution Context: Operates within the access scope of the authenticated user's mailbox with user credentials; with application credentials and the necessary permissions, it extends to reading emails from any mailbox in the organization.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Specifies the API method used (Graph API or EWS).
    • mailbox: Target email address from which emails will be read.
    • limit: Maximum number of emails to be read.

search_mailbox

  • Supported Methods: Graph
  • Description: Simulates an adversary conducting targeted searches within a mailbox to uncover sensitive information.
  • Execution Context: This technique operates exclusively within the scope of the authenticated user's mailbox based on provided user credentials. It does not support application authentication.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Specifies the API method used (Graph API).
    • keyword: Keyword for the search.
    • mailbox: Target email address from which emails will be read.
    • limit: Optional parameter to limit the number of search results returned.

search_onedrive

  • Supported Methods: Graph
  • Description: Simulates an adversary conducting targeted searches within OneDrive and Sharepoint.
  • Execution Context: This technique operates exclusively within the scope of the authenticated user's OneDrive based on provided user credentials. It does not support application authentication.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: "graph" indicates the use of Microsoft Graph API for this simulation.
    • keyword: Keyword for the search.
    • limit: Optional parameter to limit the number of search results returned.

create_rule

  • Supported Methods: Graph, EWS, REST
  • Description: Creates an email rule to automatically forward emails containing specified keywords, simulating discreet information exfiltration.
  • Execution Context: With user credentials, allows for creating email rules within the user's own mailbox; when using application credentials with adequate permissions, rules can be established across any user mailboxes organization-wide.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Method used for rule creation (Graph, EWS, or REST).
    • mailbox: Email address on which the rule will be created.
    • rule_name: Name of the created rule.
    • forward_to: Email address to which matching emails will be forwarded.
    • body_contains: Keyword that triggers the rule.

enable_email_forwarding

  • Supported Methods: REST
  • Description: Enables automatic forwarding of all emails from a specified mailbox, simulating unauthorized email traffic diversion.
  • Execution Context: Can enable forwarding for the authenticated user's own mailbox with user credentials; with application credentials granted the right permissions, forwarding can be activated for any mailbox.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: This technique uses REST.
    • mailbox: Mailbox from which emails will be forwarded.
    • forward_to: Destination email address for forwarded emails.

add_folder_permission

  • Supported Methods: REST, EWS
  • Description: Grants a user permission to access a specific folder in another user's mailbox, simulating unauthorized access to sensitive information.
  • Execution Context: Grants folder access rights within the user's mailbox using user credentials; application credentials with proper permissions can modify folder permissions across mailboxes organization-wide.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Specifies REST or EWS.
    • mailbox: Mailbox containing the folder to which permissions will be added.
    • folder: Folder for which permissions are granted.
    • grantee: User being granted folder access.
    • access_rights: Level of access granted (e.g., Owner, Author).

add_mailbox_delegation

  • Supported Methods: REST
  • Description: Grants a user full access to another user's mailbox, critical for simulating compromised account scenarios.
  • Execution Context: Allows mailbox delegation for the authenticated user's mailbox with user credentials; application credentials with sufficient permissions enable delegation setup for any mailbox in the organization.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Uses REST.
    • mailbox: Mailbox to which access will be delegated.
    • grantee: User granted access to the mailbox.
    • access_rights: Type of access granted, "FullAccess".

run_compliance_search

  • Supported Methods: REST
  • Description: Executes a compliance search for specified keywords, simulating the search for sensitive or regulated information.
  • Execution Context: Requires privileges from either an application with the appropriate permissions or a high-privileged user account with administrative Exchange roles.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Uses REST.
    • keyword: Keyword for the search.
    • name: Name of the compliance search.

create_mailflow_rule

  • Supported Methods: REST
  • Description: Establishes a mail flow rule to forward emails based on defined criteria, simulating potential malicious redirection.
  • Execution Context: Can only be executed with sufficient privileges, accessible to applications granted the necessary permissions or users endowed with high-level administrative Exchange roles.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • access_method: Uses REST.
    • forward_to: Email address for forwarding.
    • name: Name of the mail flow rule.

password_spray

  • Description: Performs a password spray attack by attempting to authenticate multiple user accounts with a single password, simulating a common brute-force technique to identify weak or reused passwords.
  • Execution Context: Does not require an authenticated user and can only target accounts that do not have Multi-Factor Authentication (MFA) enabled.
  • Parameters:
    • user_list: A list of usernames or user email addresses to target.
    • password: The password to attempt across all provided users.
    • sleep: (Optional) Time in seconds to wait between attempts to avoid detection or throttling.
    • jitter: (Optional) Adds random variation to the sleep interval to evade pattern-based detection.
    • user_agent: (Optional) Custom User-Agent string for the HTTP request.
    • proxy: (Optional) HTTP/S proxy to route the requests.

change_user_password

  • Supported Methods: Microsoft Graph API
  • Description: Updates the password of a specified user account, simulating scenarios where an attacker resets or changes a user's password.
  • Execution Context: Requires an authenticated session with sufficient privileges, such as a user with administrative roles or permissions to modify user accounts.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • user_id: The unique identifier (ID) or username (UPN) of the target user account.
    • new_password: The new password to set for the target user account.

assign_app_role

  • Supported Methods: Microsoft Graph API
  • Description: Assigns application roles to a specified service principal, simulating scenarios where an attacker grants elevated permissions to applications or service principals.
  • Execution Context: Requires an authenticated session with sufficient privileges to assign roles to service principals.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • service_principal_id: The unique identifier (ID) of the target service principal to which the role will be assigned.
    • resource_id: The unique identifier (ID) of the resource (application) containing the app role.
    • app_role_id: The unique identifier (ID) of the app role to assign. Can be a single value or a list of IDs.

assign_entra_role

  • Supported Methods: Microsoft Graph API
  • Description: Assigns an Azure AD (Entra) role to a specified user or service principal, simulating privilege escalation scenarios where elevated permissions are granted.
  • Execution Context: Requires an authenticated session with sufficient privileges, such as Privileged Role Administrator or Global Administrator roles.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • user_principal_name: The User Principal Name (UPN) of the target user. (Optional if principal_id is provided).
    • principal_id: The unique identifier (ID) of the user or service principal to assign the role to.
    • role_id: The unique identifier (ID) of the directory role to be assigned.

add_application_secret

  • Supported Methods: Microsoft Graph API
  • Description: Adds a new client secret to an existing application, simulating scenarios where an attacker generates secrets to gain persistent access to an application.
  • Execution Context: Requires an authenticated session with sufficient privileges, such as Application Administrator or permissions to manage the target application.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • app_id: The unique object ID of the target application in Azure AD.
    • description: (Optional) A descriptive name for the client secret. Default is "Simulation Secret".
    • secret_duration: (Optional) The validity period of the client secret in days. Default is 90 days.

add_service_principal

  • Supported Methods: Microsoft Graph API
  • Description: Registers a service principal for an external application in the target Azure AD environment, simulating scenarios where an attacker integrates a malicious or unauthorized app for persistent access.
  • Execution Context: Requires an authenticated session with sufficient privileges, such as Application Administrator or Global Administrator roles.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • app_id: The application (client) ID of the external multi-tenant app to register as a service principal.

admin_consent

  • Supported Methods: Microsoft Graph API
  • Description: Grants admin consent for an external application's permissions, simulating scenarios where an attacker provides elevated access to a malicious or unauthorized multi-tenant app.
  • Execution Context: Requires an authenticated session with sufficient privileges, such as Global Administrator or Application Administrator roles.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • client_id: The application (client) ID of the external multi-tenant app requesting consent.
    • resource_id: The service principal ID of the target resource being granted permissions.
    • permissions: A list of OAuth permissions (scopes) to be consented to, e.g., User.Read.All, Mail.Read.

create_application_registration

  • Supported Methods: Microsoft Graph API
  • Description: Registers a new application in Azure AD, simulating scenarios where an attacker creates a malicious application for persistence or further exploitation.
  • Execution Context: Requires an authenticated session with sufficient privileges, such as Application Administrator or Global Administrator roles.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • app_name: The display name for the new application.
    • redirect_uris: (Optional) A list of redirect URIs for the application. Default is an empty list.
    • sign_in_audience: (Optional) Specifies who can sign into the application. Default is AzureADMyOrg.

send_email

  • Supported Methods: Microsoft Graph API
  • Description: Sends an email from the authenticated user’s account, simulating scenarios such as phishing attempts, lateral movement, or data exfiltration.
  • Execution Context: Requires an authenticated session with an account that has permissions to send emails. The technique operates under the context of the signed-in user.
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
    • subject: The subject of the email to be sent.
    • body: The HTML content of the email body.
    • recipients: A list of recipient email addresses.

enumerate_users

  • Supported Methods: Microsoft Graph API
  • Description: Lists all users within the target directory, simulating reconnaissance activity to identify active user accounts.
  • Execution Context: Requires an authenticated session with permissions to read user directory data (e.g., User.Read.All).
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.

enumerate_groups

  • Supported Methods: Microsoft Graph API
  • Description: Retrieves information about all groups in the target directory, simulating reconnaissance to identify group memberships or shared access points.
  • Execution Context: Requires an authenticated session with permissions to read group data (e.g., Group.Read.All).
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.

enumerate_applications

  • Supported Methods: Microsoft Graph API
  • Description: Lists all registered applications within the tenant, simulating enumeration to identify potential applications for exploitation or persistence.
  • Execution Context: Requires an authenticated session with permissions to read application data (e.g., Application.Read.All).
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.

enumerate_service_principals

  • Supported Methods: Microsoft Graph API
  • Description: Enumerates all service principals in the environment, simulating reconnaissance to identify service accounts and associated permissions.
  • Execution Context: Requires an authenticated session with permissions to read service principal data (e.g., Application.Read.All).
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.

enumerate_directory_roles

  • Supported Methods: Microsoft Graph API
  • Description: Retrieves directory roles to identify privileged accounts in the target tenant, simulating reconnaissance for privilege escalation opportunities.
  • Execution Context: Requires an authenticated session with permissions to read directory role data (e.g., Directory.Read.All).
  • Parameters:
    • session: Defines the authentication context, specifying which user or account the technique will execute under.
Clone this wiki locally