-
Notifications
You must be signed in to change notification settings - Fork 0
/
azure_attck_test.sh
271 lines (236 loc) · 14.7 KB
/
azure_attck_test.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
#!/bin/bash
# Set up environment variables
AZURE_SUBSCRIPTION_ID="your_subscription_id"
RESOURCE_GROUP="your_resource_group"
VM_NAME="your_vm_name"
# Login to Azure
az login
# Select subscription
az account set --subscription $AZURE_SUBSCRIPTION_ID
# Function to log results
log_result() {
local test_name="$1"
local result="$2"
local status="$3"
echo "$test_name: $result. Status: $status"
}
# Initial Access
# Phishing simulation (this is a very basic example and not a full-fledged phishing test)
echo "Simulating phishing email check (not a real test)."
log_result "Phishing Simulation" "Simulated but not a real test." "Inconclusive"
# Drive-by Compromise
drive_by_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "ps aux | grep suspicious_browser_process")
if [[ $? -eq 0 ]]; then
log_result "Drive-by Compromise" "Potential drive-by compromise detected." "Alert"
else
log_result "Drive-by Compromise" "No signs of drive-by compromise found." "Normal"
fi
# Supply Chain Compromise
echo "Assessing third-party software integrations."
log_result "Supply Chain Compromise" "Manual review needed." "Inconclusive"
# Execution
# Check for running unauthorized scripts
unauthorized_script_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "ps aux | grep suspicious_script_name")
if [[ $? -eq 0 ]]; then
log_result "Unauthorized Script Execution" "Potential unauthorized script execution detected." "Alert"
else
log_result "Unauthorized Script Execution" "No unauthorized script execution found." "Normal"
fi
# User Execution
user_execution_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "auditctl -w /home/ -p rwxa | grep suspicious_user_execution")
if [[ $? -eq 0 ]]; then
log_result "User Execution of Malicious Code" "Potential user execution of malicious code detected." "Alert"
else
log_result "User Execution of Malicious Code" "No user execution of malicious code found." "Normal"
fi
# Fileless Execution
fileless_execution_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "ps aux | grep powershell | grep -v known_legitimate_use")
if [[ $? -eq 0 ]]; then
log_result "Fileless Execution" "Potential fileless execution detected." "Alert"
else
log_result "Fileless Execution" "No fileless execution found." "Normal"
fi
# Persistence
# Check for new accounts creation
new_accounts_result=$(az ad user list --filter "createdDateTime gt 2024-09-09T00:00:00Z")
if [[ $? -eq 0 && $(az ad user list --filter "createdDateTime gt 2024-09-09T00:00:00Z" | wc -l) -gt 0 ]]; then
log_result "New Account Creation" "New accounts created. Investigate further." "Alert"
else
log_result "New Account Creation" "No new accounts found." "Normal"
fi
# Scheduled Task/Job
scheduled_task_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "crontab -l | grep suspicious_task")
if [[ $? -eq 0 ]]; then
log_result "Suspicious Scheduled Task" "Potential suspicious scheduled task detected." "Alert"
else
log_result "Suspicious Scheduled Task" "No suspicious scheduled tasks found." "Normal"
fi
# Service Execution
service_execution_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "systemctl list-units | grep suspicious_service")
if [[ $? -eq 0 ]]; then
log_result "Suspicious Service" "Potential suspicious service detected." "Alert"
else
log_result "Suspicious Service" "No suspicious services found." "Normal"
fi
# Privilege Escalation
# Check for vulnerable services
vulnerable_services_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "sudo apt-get update && sudo apt-get upgrade -y && check_for_vulnerable_packages.sh")
log_result "Vulnerable Services" "Check script output for vulnerabilities." "Inconclusive"
# Token Manipulation
token_manipulation_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "auditctl -w /var/run/secrets/ -p rwxa | grep token_manipulation")
if [[ $? -eq 0 ]]; then
log_result "Token Manipulation" "Potential token manipulation detected." "Alert"
else
log_result "Token Manipulation" "No token manipulation found." "Normal"
fi
# Exploit Weakness in Access Control Mechanism
echo "Assessing access control policies."
log_result "Access Control Weakness" "Manual review needed." "Inconclusive"
# Defense Evasion
# Check for obfuscated files
obfuscated_files_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "find / -type f -exec file {} \; | grep Obfuscated")
if [[ $? -eq 0 ]]; then
log_result "Obfuscated Files" "Potential obfuscated files detected." "Alert"
else
log_result "Obfuscated Files" "No obfuscated files found." "Normal"
fi
# Masquerading
masquerading_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "last | grep suspicious_user_impersonation")
if [[ $? -eq 0 ]]; then
log_result "Masquerading" "Potential masquerading detected." "Alert"
else
log_result "Masquerading" "No masquerading found." "Normal"
fi
# Disable or Modify Tools
disabled_tools_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "systemctl status security_tool_name | grep disabled")
if [[ $? -eq 0 ]]; then
log_result "Disabled Security Tools" "Potential disabled security tool detected." "Alert"
else
log_result "Disabled Security Tools" "No disabled security tools found." "Normal"
fi
# Credential Access
# Brute force simulation (this is a very basic example and not a real brute force test)
echo "Simulating brute force check (not a real test)."
log_result "Brute Force Simulation" "Simulated but not a real test." "Inconclusive"
# Credential Dumping
credential_dumping_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "auditctl -w /etc/shadow -p rwxa | grep credential_dumping")
if [[ $? -eq 0 ]]; then
log_result "Credential Dumping" "Potential credential dumping detected." "Alert"
else
log_result "Credential Dumping" "No credential dumping found." "Normal"
fi
# OS Credential Dumping
os_credential_dumping_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "auditctl -w /proc/kmem -p rwxa | grep os_credential_dumping")
if [[ $? -eq 0 ]]; then
log_result "OS Credential Dumping" "Potential OS credential dumping detected." "Alert"
else
log_result "OS Credential Dumping" "No OS credential dumping found." "Normal"
fi
# Discovery
# Check for registry queries
registry_queries_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "auditctl -l | grep registry_query")
if [[ $? -eq 0 ]]; then
log_result "Unauthorized Registry Queries" "Potential unauthorized registry queries detected." "Alert"
else
log_result "Unauthorized Registry Queries" "No unauthorized registry queries found." "Normal"
fi
# System Information Discovery
system_info_discovery_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "last | grep system_info_discovery")
if [[ $? -eq 0 ]]; then
log_result "System Information Discovery" "Potential system information discovery detected." "Alert"
else
log_result "System Information Discovery" "No system information discovery found." "Normal"
fi
# Network Service Scanning
network_scanning_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "nmap -sS -p- localhost | grep open_port")
if [[ $? -eq 0 ]]; then
log_result "Network Service Scanning" "Potential network service scanning detected." "Alert"
else
log_result "Network Service Scanning" "No network service scanning found." "Normal"
fi
# Lateral Movement
# Check for remote services vulnerabilities
remote_services_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "nmap -p 22,3389 -sV localhost | grep Vulnerable")
log_result "Remote Services Vulnerabilities" "Check nmap output for vulnerabilities." "Inconclusive"
# Remote Service Session Hijacking
session_hijacking_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "auditctl -w /var/run/sshd -p rwxa | grep session_hijacking")
if [[ $? -eq 0 ]]; then
log_result "Remote Service Session Hijacking" "Potential remote service session hijacking detected." "Alert"
else
log_result "Remote Service Session Hijacking" "No remote service session hijacking found." "Normal"
fi
# Pass the Ticket/Ticket Reuse
ticket_reuse_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "auditctl -w /tmp/krb5cc_* -p rwxa | grep ticket_reuse")
if [[ $? -eq 0 ]]; then
log_result "Pass the Ticket/Ticket Reuse" "Potential pass the ticket/ticket reuse detected." "Alert"
else
log_result "Pass the Ticket/Ticket Reuse" "No pass the ticket/ticket reuse found." "Normal"
fi
# Collection
# Check for file and directory discovery attempts
file_directory_discovery_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "last | grep 'cd /' | grep suspicious_user")
if [[ $? -eq 0 ]]; then
log_result "File and Directory Discovery" "Potential file and directory discovery attempts detected." "Alert"
else
log_result "File and Directory Discovery" "No file and directory discovery attempts found." "Normal"
fi
# Data from Cloud Storage Object
echo "Monitoring for data access from cloud storage objects."
log_result "Data from Cloud Storage" "Use Azure monitoring tools for abnormal access." "Inconclusive"
# Data from Information Repositories
information_repository_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "auditctl -w /etc/passwd -p rwxa | grep information_repository_access")
if [[ $? -eq 0 ]]; then
log_result "Access to Information Repositories" "Potential access to information repositories detected." "Alert"
else
log_result "Access to Information Repositories" "No access to information repositories found." "Normal"
fi
# Exfiltration
# Check for data exfiltration over C2 channels
c2_exfiltration_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "netstat -anp | grep suspicious_ip")
if [[ $? -eq 0 ]]; then
log_result "Data Exfiltration over C2 Channels" "Potential data exfiltration over C2 channels detected." "Alert"
else
log_result "Data Exfiltration over C2 Channels" "No data exfiltration over C2 channels found." "Normal"
fi
# Exfiltration to Cloud Storage
echo "Monitoring for data exfiltration to cloud storage."
log_result "Data Exfiltration to Cloud Storage" "Use Azure monitoring tools for abnormal uploads." "Inconclusive"
# Exfiltration Over C2 Channel - Steganography
steganography_result=$(az vm run-command invoke -g $RESOURCE_GROUP -n $VM_NAME --command-id RunShellScript --scripts "grep -r suspicious_pattern /var/log/* | grep steganography")
if [[ $? -eq 0 ]]; then
log_result "Steganography in C2 Exfiltration" "Potential steganography in C2 channel exfiltration detected." "Alert"
else
log_result "Steganography in C2 Exfiltration" "No steganography in C2 channel exfiltration found." "Normal"
fi
# Export log in CSV format
echo "Test Name,Result,Status" > log.csv
echo "Phishing Simulation,Simulated but not a real test.,Inconclusive" >> log.csv
echo "Drive-by Compromise,$drive_by_result,${drive_by_result:+"Alert":"Normal"}" >> log.csv
echo "Supply Chain Compromise,Manual review needed.,Inconclusive" >> log.csv
echo "Unauthorized Script Execution,$unauthorized_script_result,${unauthorized_script_result:+"Alert":"Normal"}" >> log.csv
echo "User Execution of Malicious Code,$user_execution_result,${user_execution_result:+"Alert":"Normal"}" >> log.csv
echo "Fileless Execution,$fileless_execution_result,${fileless_execution_result:+"Alert":"Normal"}" >> log.csv
echo "New Account Creation,$new_accounts_result,${new_accounts_result:+"Alert":"Normal"}" >> log.csv
echo "Suspicious Scheduled Task,$scheduled_task_result,${scheduled_task_result:+"Alert":"Normal"}" >> log.csv
echo "Suspicious Service,$service_execution_result,${service_execution_result:+"Alert":"Normal"}" >> log.csv
echo "Vulnerable Services,Check script output for vulnerabilities.,Inconclusive" >> log.csv
echo "Token Manipulation,$token_manipulation_result,${token_manipulation_result:+"Alert":"Normal"}" >> log.csv
echo "Access Control Weakness,Manual review needed.,Inconclusive" >> log.csv
echo "Obfuscated Files,$obfuscated_files_result,${obfuscated_files_result:+"Alert":"Normal"}" >> log.csv
echo "Masquerading,$masquerading_result,${masquerading_result:+"Alert":"Normal"}" >> log.csv
echo "Disabled Security Tools,$disabled_tools_result,${disabled_tools_result:+"Alert":"Normal"}" >> log.csv
echo "Brute Force Simulation,Simulated but not a real test.,Inconclusive" >> log.csv
echo "Credential Dumping,$credential_dumping_result,${credential_dumping_result:+"Alert":"Normal"}" >> log.csv
echo "OS Credential Dumping,$os_credential_dumping_result,${os_credential_dumping_result:+"Alert":"Normal"}" >> log.csv
echo "Unauthorized Registry Queries,$registry_queries_result,${registry_queries_result:+"Alert":"Normal"}" >> log.csv
echo "System Information Discovery,$system_info_discovery_result,${system_info_discovery_result:+"Alert":"Normal"}" >> log.csv
echo "Network Service Scanning,$network_scanning_result,${network_scanning_result:+"Alert":"Normal"}" >> log.csv
echo "Remote Services Vulnerabilities,Check nmap output for vulnerabilities.,Inconclusive" >> log.csv
echo "Remote Service Session Hijacking,$session_hijacking_result,${session_hijacking_result:+"Alert":"Normal"}" >> log.csv
echo "Pass the Ticket/Ticket Reuse,$ticket_reuse_result,${ticket_reuse_result:+"Alert":"Normal"}" >> log.csv
echo "File and Directory Discovery,$file_directory_discovery_result,${file_directory_discovery_result:+"Alert":"Normal"}" >> log.csv
echo "Data from Cloud Storage,Use Azure monitoring tools for abnormal access.,Inconclusive" >> log.csv
echo "Access to Information Repositories,$information_repository_result,${information_repository_result:+"Alert":"Normal"}" >> log.csv
echo "Data Exfiltration over C2 Channels,$c2_exfiltration_result,${c2_exfiltration_result:+"Alert":"Normal"}" >> log.csv
echo "Data Exfiltration to Cloud Storage,Use Azure monitoring tools for abnormal uploads.,Inconclusive" >> log.csv
echo "Steganography in C2 Exfiltration,$steganography_result,${steganography_result:+"Alert":"Normal"}" >> log.csv