-
Notifications
You must be signed in to change notification settings - Fork 13
Supported Techniques
mvelazco edited this page Dec 17, 2024
·
22 revisions
- Supported Methods: Graph, EWS
- Description: Simulates the action of reading emails from a specified mailbox, demonstrating data access and potential exfiltration capabilities.
- Execution Context: Operates within the access scope of the authenticated user's mailbox with user credentials; with application credentials and the necessary permissions, it extends to reading emails from any mailbox in the organization.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
access_method
: Specifies the API method used (Graph API or EWS). -
mailbox
: Target email address from which emails will be read. -
limit
: Maximum number of emails to be read.
-
- Supported Methods: Graph
- Description: Simulates an adversary conducting targeted searches within a mailbox to uncover sensitive information.
- Execution Context: This technique operates exclusively within the scope of the authenticated user's mailbox based on provided user credentials. It does not support application authentication.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
access_method
: Specifies the API method used (Graph API). -
keyword
: Keyword for the search. -
mailbox
: Target email address from which emails will be read. -
limit
: Optional parameter to limit the number of search results returned.
-
- Supported Methods: Graph
- Description: Simulates an adversary conducting targeted searches within OneDrive and Sharepoint.
- Execution Context: This technique operates exclusively within the scope of the authenticated user's OneDrive based on provided user credentials. It does not support application authentication.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
access_method
: "graph" indicates the use of Microsoft Graph API for this simulation. -
keyword
: Keyword for the search. -
limit
: Optional parameter to limit the number of search results returned.
-
- Supported Methods: Graph, EWS, REST
- Description: Creates an email rule to automatically forward emails containing specified keywords, simulating discreet information exfiltration.
- Execution Context: With user credentials, allows for creating email rules within the user's own mailbox; when using application credentials with adequate permissions, rules can be established across any user mailboxes organization-wide.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
access_method
: Method used for rule creation (Graph, EWS, or REST). -
mailbox
: Email address on which the rule will be created. -
rule_name
: Name of the created rule. -
forward_to
: Email address to which matching emails will be forwarded. -
body_contains
: Keyword that triggers the rule.
-
- Supported Methods: REST
- Description: Enables automatic forwarding of all emails from a specified mailbox, simulating unauthorized email traffic diversion.
- Execution Context: Can enable forwarding for the authenticated user's own mailbox with user credentials; with application credentials granted the right permissions, forwarding can be activated for any mailbox.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
access_method
: This technique uses REST. -
mailbox
: Mailbox from which emails will be forwarded. -
forward_to
: Destination email address for forwarded emails.
-
- Supported Methods: REST, EWS
- Description: Grants a user permission to access a specific folder in another user's mailbox, simulating unauthorized access to sensitive information.
- Execution Context: Grants folder access rights within the user's mailbox using user credentials; application credentials with proper permissions can modify folder permissions across mailboxes organization-wide.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
access_method
: Specifies REST or EWS. -
mailbox
: Mailbox containing the folder to which permissions will be added. -
folder
: Folder for which permissions are granted. -
grantee
: User being granted folder access. -
access_rights
: Level of access granted (e.g., Owner, Author).
-
- Supported Methods: REST
- Description: Grants a user full access to another user's mailbox, critical for simulating compromised account scenarios.
- Execution Context: Allows mailbox delegation for the authenticated user's mailbox with user credentials; application credentials with sufficient permissions enable delegation setup for any mailbox in the organization.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
access_method
: Uses REST. -
mailbox
: Mailbox to which access will be delegated. -
grantee
: User granted access to the mailbox. -
access_rights
: Type of access granted, "FullAccess".
-
- Supported Methods: REST
- Description: Executes a compliance search for specified keywords, simulating the search for sensitive or regulated information.
- Execution Context: Requires privileges from either an application with the appropriate permissions or a high-privileged user account with administrative Exchange roles.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
access_method
: Uses REST. -
keyword
: Keyword for the search. -
name
: Name of the compliance search.
-
- Supported Methods: REST
- Description: Establishes a mail flow rule to forward emails based on defined criteria, simulating potential malicious redirection.
- Execution Context: Can only be executed with sufficient privileges, accessible to applications granted the necessary permissions or users endowed with high-level administrative Exchange roles.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
access_method
: Uses REST. -
forward_to
: Email address for forwarding. -
name
: Name of the mail flow rule.
-
- Description: Performs a password spray attack by attempting to authenticate multiple user accounts with a single password, simulating a common brute-force technique to identify weak or reused passwords.
- Execution Context: Does not require an authenticated user and can only target accounts that do not have Multi-Factor Authentication (MFA) enabled.
-
Parameters:
-
user_list
: A list of usernames or user email addresses to target. -
password
: The password to attempt across all provided users. -
sleep
: (Optional) Time in seconds to wait between attempts to avoid detection or throttling. -
jitter
: (Optional) Adds random variation to the sleep interval to evade pattern-based detection. -
user_agent
: (Optional) Custom User-Agent string for the HTTP request. -
proxy
: (Optional) HTTP/S proxy to route the requests.
-
- Supported Methods: Microsoft Graph API
- Description: Updates the password of a specified user account, simulating scenarios where an attacker resets or changes a user's password.
- Execution Context: Requires an authenticated session with sufficient privileges, such as a user with administrative roles or permissions to modify user accounts.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
user_id
: The unique identifier (ID) or username (UPN) of the target user account. -
new_password
: The new password to set for the target user account.
-
- Supported Methods: Microsoft Graph API
- Description: Assigns application roles to a specified service principal, simulating scenarios where an attacker grants elevated permissions to applications or service principals.
- Execution Context: Requires an authenticated session with sufficient privileges to assign roles to service principals.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
service_principal_id
: The unique identifier (ID) of the target service principal to which the role will be assigned. -
resource_id
: The unique identifier (ID) of the resource (application) containing the app role. -
app_role_id
: The unique identifier (ID) of the app role to assign. Can be a single value or a list of IDs.
-
- Supported Methods: Microsoft Graph API
- Description: Assigns an Azure AD (Entra) role to a specified user or service principal, simulating privilege escalation scenarios where elevated permissions are granted.
- Execution Context: Requires an authenticated session with sufficient privileges, such as Privileged Role Administrator or Global Administrator roles.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
user_principal_name
: The User Principal Name (UPN) of the target user. (Optional ifprincipal_id
is provided). -
principal_id
: The unique identifier (ID) of the user or service principal to assign the role to. -
role_id
: The unique identifier (ID) of the directory role to be assigned.
-
- Supported Methods: Microsoft Graph API
- Description: Adds a new client secret to an existing application, simulating scenarios where an attacker generates secrets to gain persistent access to an application.
- Execution Context: Requires an authenticated session with sufficient privileges, such as Application Administrator or permissions to manage the target application.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
app_id
: The unique object ID of the target application in Azure AD. -
description
: (Optional) A descriptive name for the client secret. Default is"Simulation Secret"
. -
secret_duration
: (Optional) The validity period of the client secret in days. Default is90
days.
-
- Supported Methods: Microsoft Graph API
- Description: Registers a service principal for an external application in the target Azure AD environment, simulating scenarios where an attacker integrates a malicious or unauthorized app for persistent access.
- Execution Context: Requires an authenticated session with sufficient privileges, such as Application Administrator or Global Administrator roles.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
app_id
: The application (client) ID of the external multi-tenant app to register as a service principal.
-
- Supported Methods: Microsoft Graph API
- Description: Grants admin consent for an external application's permissions, simulating scenarios where an attacker provides elevated access to a malicious or unauthorized multi-tenant app.
- Execution Context: Requires an authenticated session with sufficient privileges, such as Global Administrator or Application Administrator roles.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
client_id
: The application (client) ID of the external multi-tenant app requesting consent. -
resource_id
: The service principal ID of the target resource being granted permissions. -
permissions
: A list of OAuth permissions (scopes) to be consented to, e.g.,User.Read.All
,Mail.Read
.
-
- Supported Methods: Microsoft Graph API
- Description: Registers a new application in Azure AD, simulating scenarios where an attacker creates a malicious application for persistence or further exploitation.
- Execution Context: Requires an authenticated session with sufficient privileges, such as Application Administrator or Global Administrator roles.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
app_name
: The display name for the new application. -
redirect_uris
: (Optional) A list of redirect URIs for the application. Default is an empty list. -
sign_in_audience
: (Optional) Specifies who can sign into the application. Default isAzureADMyOrg
.
-
- Supported Methods: Microsoft Graph API
- Description: Sends an email from the authenticated user’s account, simulating scenarios such as phishing attempts, lateral movement, or data exfiltration.
- Execution Context: Requires an authenticated session with an account that has permissions to send emails. The technique operates under the context of the signed-in user.
-
Parameters:
-
session
: Defines the authentication context, specifying which user or account the technique will execute under. -
subject
: The subject of the email to be sent. -
body
: The HTML content of the email body. -
recipients
: A list of recipient email addresses.
-