search

redcanaryco / atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK.
MIT License
9.79k stars 2.8k forks source link

Problem: T1078.004 Atomic Test #2 - Valid Accounts: Cloud Accounts (Azure) --> GetPrereqs failed #2971

Closed kienmarkdo closed 1 day ago

kienmarkdo commented 2 weeks ago

What did you do?

ℹ Run Invoke-AtomicTest T1078.004-2 -GetPrereqs

What did you expect to happen?

ℹ Expected Terraform to be installed and for the command terraform or terraform version to work.

What happened instead?

ℹ Received the following error, indicating that Terraform either failed to install; or installed successfully, but the terraform command has not been added to PATH, and as such, is not recognized as a command.

PS C:\Windows\system32> terraform
terraform : The term 'terraform' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ terraform
+ ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (terraform:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Strangely, ART says the prereq has been met, even though it failed to run any terraform commands. Below is the complete -GetPrereq terminal output. I would expect the installation to work so that I don't have to manually install Terraform, or for the prereq check to work properly.

PS C:\Windows\system32> Invoke-AtomicTest T1078.004-2 -GetPrereqs                                                       PathToAtomicsFolder = C:\AtomicRedTeam\atomics                                                                                                                                                                                                  GetPrereq's for: T1078.004-2 Azure Persistence Automation Runbook Created or Modified                                   Attempting to satisfy prereq: Check if terraform is installed.                                                          terraform : The term 'terraform' is not recognized as the name of a cmdlet, function, script file, or operable          program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:4
+ & {terraform version}
+    ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (terraform:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Prereq already met: Check if terraform is installed.
Attempting to satisfy prereq: Install-Module -Name Az
Process Timed out after 120 seconds, use '-TimeoutSeconds' to specify a different timeout                               Failed to meet prereq: Install-Module -Name Az                                                                          Attempting to satisfy prereq: Check if the user is logged into Azure.                                                   az : The term 'az' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the     spelling of the name, or if a path was included, verify that the path is correct and try again.                         At line:1 char:4                                                                                                        + & {az account show}                                                                                                   +    ~~
    + CategoryInfo          : ObjectNotFound: (az:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Prereq already met: Check if the user is logged into Azure.
Attempting to satisfy prereq: Create dependency resources using terraform
terraform : The term 'terraform' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:1
+ terraform init
+ ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (terraform:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

terraform : The term 'terraform' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:3 char:1
+ terraform apply -auto-approve}
+ ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (terraform:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Failed to meet prereq: Create dependency resources using terraform
PS C:\Windows\system32> Invoke-AtomicTest T1078.004-2 -CheckPrereqs                                                     PathToAtomicsFolder = C:\AtomicRedTeam\atomics

CheckPrereq's for: T1078.004-2 Azure Persistence Automation Runbook Created or Modified
terraform : The term 'terraform' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:4
+ & {terraform version}
+    ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (terraform:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
az : The term 'az' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:4
+ & {az account show}
+    ~~
    + CategoryInfo          : ObjectNotFound: (az:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Prerequisites not met: T1078.004-2 Azure Persistence Automation Runbook Created or Modified
        [*] Install-Module -Name Az
        [*] Create dependency resources using terraform

Try installing prereq's with the -GetPrereqs switch

After manually installing Terraform and setting the PATH variable myself, I ran the GetPrereqs command again. The logs are below

PS C:\Windows\system32> Invoke-AtomicTest T1078.004-2 -GetPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

GetPrereq's for: T1078.004-2 Azure Persistence Automation Runbook Created or Modified
Attempting to satisfy prereq: Check if terraform is installed.
Terraform v1.9.8
on windows_386
Prereq already met: Check if terraform is installed.
Attempting to satisfy prereq: Install-Module -Name Az
Process Timed out after 120 seconds, use '-TimeoutSeconds' to specify a different timeout
Failed to meet prereq: Install-Module -Name Az
Attempting to satisfy prereq: Check if the user is logged into Azure.
az : The term 'az' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:4
+ & {az account show}
+    ~~
    + CategoryInfo          : ObjectNotFound: (az:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Prereq already met: Check if the user is logged into Azure.
Attempting to satisfy prereq: Create dependency resources using terraform
Initializing the backend...
Initializing provider plugins...
- Finding latest version of hashicorp/azurerm...
- Installing hashicorp/azurerm v4.7.0...
- Installed hashicorp/azurerm v4.7.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other                                         commands will detect it and remind you to do so if necessary.                                                           Γò╖                                                                                                                     Γöé Warning: Argument is deprecated                                                                                     Γöé                                                                                                                     Γöé   with provider["registry.terraform.io/hashicorp/azurerm"],                                                         Γöé   on T1078.004-2.tf line 8, in provider "azurerm":
Γöé    8:   skip_provider_registration = true
Γöé                                                                                                                     Γöé This property is deprecated and will be removed in v5.0 of the AzureRM                                              Γöé provider. Please use the `resource_provider_registrations` property                                                 Γöé instead.                                                                                                            Γöé                                                                                                                     Γöé (and one more similar warning elsewhere)                                                                            Γò╡                                                                                                                     Γò╖
Γöé Warning: Attribute Deprecated
Γöé
Γöé   with provider["registry.terraform.io/hashicorp/azurerm"],
Γöé   on T1078.004-2.tf line 8, in provider "azurerm":
Γöé    8:   skip_provider_registration = true
Γöé
Γöé This property is deprecated and will be removed in v5.0 of the AzureRM
Γöé provider. Please use the `resource_provider_registrations` property
Γöé instead.
Γöé
Γöé (and one more similar warning elsewhere)
Γò╡
Γò╖
Γöé Error: `subscription_id` is a required provider property when performing a plan/apply operation
Γöé
Γöé   with provider["registry.terraform.io/hashicorp/azurerm"],
Γöé   on T1078.004-2.tf line 5, in provider "azurerm":
Γöé    5: provider "azurerm" {
Γöé
Γò╡
Failed to meet prereq: Create dependency resources using terraform

Issue may be related to https://github.com/redcanaryco/atomic-red-team/pull/2437

Your Environment

Windows 11 Home VM on VirtualBox.

Edition Windows 11 Home
Version 23H2
Installed on    ‎9/‎26/‎2024
OS build    22631.4391
Experience  Windows Feature Experience Pack 1000.22700.1047.0

Ran as Windows Adminstrator in Powershell.

T1078.004-2

T1078.004-2

Link here: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md#atomic-test-2---azure-persistence-automation-runbook-created-or-modified

kienmarkdo commented 1 day ago

These prereqs just needed to be installed manually.