From 11c88b983536cd045214ccd1a76869aed6f4b5fa Mon Sep 17 00:00:00 2001
From: ryananicholson <ryananicholson@gmail.com>
Date: Wed, 18 Dec 2024 02:25:10 -0500
Subject: [PATCH] feat: more cloud credential discovery (#3018)

---
 atomics/T1552.001/T1552.001.yaml | 48 ++++++++++++++++++++++++++++++--
 1 file changed, 46 insertions(+), 2 deletions(-)

diff --git a/atomics/T1552.001/T1552.001.yaml b/atomics/T1552.001/T1552.001.yaml
index e41c564e94..3dc51880ff 100644
--- a/atomics/T1552.001/T1552.001.yaml
+++ b/atomics/T1552.001/T1552.001.yaml
@@ -2,7 +2,6 @@ attack_technique: T1552.001
 display_name: 'Unsecured Credentials: Credentials In Files'
 atomic_tests:
 - name: Find AWS credentials
-  auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
   description: |
     Find local AWS credentials from file, defaults to using / as the look path.
   supported_platforms:
@@ -15,7 +14,7 @@ atomic_tests:
       default: /
   executor:
     command: |
-      find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
+      find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
     name: sh
 - name: Extract Browser and System credentials with LaZagne
   auto_generated_guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
@@ -189,3 +188,48 @@ atomic_tests:
       
     name: command_prompt
     elevation_required: true
+- name: Find Azure credentials
+  description: |
+    Find local Azure credentials from file, defaults to using / as the look path.
+  supported_platforms:
+  - macos
+  - linux
+  input_arguments:
+    file_path:
+      description: Path to search
+      type: string
+      default: /
+  executor:
+    command: |
+      find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
+    name: sh
+- name: Find GCP credentials
+  description: |
+    Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
+  supported_platforms:
+  - macos
+  - linux
+  input_arguments:
+    file_path:
+      description: Path to search
+      type: string
+      default: /
+  executor:
+    command: |
+      find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
+    name: sh
+- name: Find OCI credentials
+  description: |
+    Find local Oracle cloud credentials from file, defaults to using / as the look path.
+  supported_platforms:
+  - macos
+  - linux
+  input_arguments:
+    file_path:
+      description: Path to search
+      type: string
+      default: /
+  executor:
+    command: |
+      find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
+    name: sh
\ No newline at end of file