feat: more cloud credential discovery (#3018)

redcanaryco · Dec 18, 2024 · 11c88b9 · 11c88b9
1 parent dda4972
commit 11c88b9
Showing 1 changed file with 46 additions and 2 deletions.
diff --git a/atomics/T1552.001/T1552.001.yaml b/atomics/T1552.001/T1552.001.yaml
@@ -2,7 +2,6 @@ attack_technique: T1552.001
 display_name: 'Unsecured Credentials: Credentials In Files'
 atomic_tests:
 - name: Find AWS credentials
-  auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
   description: |
     Find local AWS credentials from file, defaults to using / as the look path.
   supported_platforms:
@@ -15,7 +14,7 @@ atomic_tests:
       default: /
   executor:
     command: |
-      find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+      find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
     name: sh
 - name: Extract Browser and System credentials with LaZagne
   auto_generated_guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
@@ -189,3 +188,48 @@ atomic_tests:
       
     name: command_prompt
     elevation_required: true
+- name: Find Azure credentials
+  description: |
+    Find local Azure credentials from file, defaults to using / as the look path.
+  supported_platforms:
+  - macos
+  - linux
+  input_arguments:
+    file_path:
+      description: Path to search
+      type: string
+      default: /
+  executor:
+    command: |
+      find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
+    name: sh
+- name: Find GCP credentials
+  description: |
+    Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
+  supported_platforms:
+  - macos
+  - linux
+  input_arguments:
+    file_path:
+      description: Path to search
+      type: string
+      default: /
+  executor:
+    command: |
+      find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
+    name: sh
+- name: Find OCI credentials
+  description: |
+    Find local Oracle cloud credentials from file, defaults to using / as the look path.
+  supported_platforms:
+  - macos
+  - linux
+  input_arguments:
+    file_path:
+      description: Path to search
+      type: string
+      default: /
+  executor:
+    command: |
+      find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
+    name: sh