There were a couple of bugs and design changes that were made after testing emulations and the auth and creds commands.
Issue: Sessions not available after credential storage from within emulations
When running an emulation, credentials were available in the credential store, but an active session is needed to start a service client. However, authenticate in auth.py was a Command method and thus not available from emulations. To solve this, a static method was added that will take credentials and authenticate as normal, returning a session that can be used in the emulation.
Below is an example, where default contains service account credentials in the store. We pass it to get_auth_session and it returns an actual session.
class Emulation(BaseEmulation):
parser = BaseEmulation.load_parser(description='Account Manipulation: Additional Cloud Roles')
parser.add_argument('--username', required=True, help='Username to add the role to')
parser.add_argument('--roles', required=True, help='Roles to add')
techniques = ['T1098.003']
def __init__(self, **kwargs) -> None:
super().__init__(**kwargs)
self.session = AuthCommand.get_auth_session(creds=self.obj.cred_store.store['default'].creds.to_dict(), type='service')
self.service = build('drive', 'v3', credentials=self.session)
def execute(self) -> None:
self.elogger.info(self.exec_str(self.parser.description))
auth command does not store the sessions, only the credentials by default in the credential store.
If users would prefer to store both the credentials and session after authentication, they can now use --store NAME and it will store those credentials and session in the credential store. This allows us to authenticate -> store credentials -> store session -> access in emulations.
PosixPath stored in credential store
Originally, if auth was used to authenticate, the path of the credentials was being stored as creds in the credential store. This has been adjusted to determine if it is a Path and if so, load it from_file with OAuthCreds or ServiceAccountCreds and save it as the actual JSON object.
Overview
There were a couple of bugs and design changes that were made after testing emulations and the
authandcredscommands.Issue: Sessions not available after credential storage from within emulations
When running an emulation, credentials were available in the credential store, but an active session is needed to start a service client. However,
authenticateinauth.pywas aCommandmethod and thus not available from emulations. To solve this, a static method was added that will take credentials and authenticate as normal, returning a session that can be used in the emulation.Below is an example, where
defaultcontains service account credentials in the store. We pass it toget_auth_sessionand it returns an actual session.authcommand does not store the sessions, only the credentials by default in the credential store.If users would prefer to store both the credentials and session after authentication, they can now use
--store NAMEand it will store those credentials and session in the credential store. This allows us to authenticate -> store credentials -> store session -> access in emulations.PosixPathstored in credential storeOriginally, if
authwas used to authenticate, the path of the credentials was being stored ascredsin the credential store. This has been adjusted to determine if it is aPathand if so, load itfrom_filewithOAuthCredsorServiceAccountCredsand save it as the actual JSON object.