Update T1078.004.yaml (#2982)

* Update T1078.004.md Added comment noting that this T1078.004-2 will only work if the Azure account (that the command is trying to login with) does not have 2FA enabled. * Update T1078.004.md * Update T1078.004.yaml Update T1078.004-2 so that core functionalities work again (regular execution, -GetPrereqs, and -CleanUp) * Revert T1078.004.md changes * Update terraform.tfvars Hardcoded Azure values. * Update T1078.004.yaml Hardcoded test 2's values to match `./atomics/T1078.004/src/T1078.004-2/terraform.tfvars` * Update terraform.tfvars * Update T1078.004.yaml --------- Co-authored-by: Bhavin Patel <[email protected]>
redcanaryco · Nov 20, 2024 · f2c4afb · f2c4afb
1 parent 501dd6c
commit f2c4afb
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 22 deletions.
diff --git a/atomics/T1078.004/T1078.004.yaml b/atomics/T1078.004/T1078.004.yaml
@@ -62,64 +62,64 @@ atomic_tests:
   supported_platforms:
   - iaas:azure
   input_arguments:
-    username:
-      description: Azure username
-      type: string
-      default: null
-    password:
-      description: Azure password
-      type: string
-      default: null
     resource_group:
       description: Name of the resource group
       type: string
-      default: null
+      default: ART-ResourceGroupName-T1078-004
     runbook_name:
       description: Name of the runbook name
       type: string
-      default: null
+      default: ART-RunbookName-T1078-004
     automation_account_name:
       description: Name of the automation account name
       type: string
-      default: null
+      default: ART-AutomationAccountName-T1078-004
   dependency_executor_name: powershell
   dependencies:
   - description: |
       Check if terraform is installed.
     prereq_command: |
       terraform version
     get_prereq_command: |
-        echo Please install terraform.
+        echo "Please install terraform via https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli (URL accurate as of Nov. 15, 2024)."
   - description: |
-      Install-Module -Name Az
+      Check if Azure CLI and Azure Powershell are installed.
+
+      * Login to Azure CLI with "az login", and login to Azure Powershell with "Connect-AzAccount". Sessions are not shared.
+      * Azure Powershell used in this test as they have better automation performance and error logging than Azure CLI.
     prereq_command: |
       try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
     get_prereq_command: |
-      Install-Module -Name Az -Scope CurrentUser -Force
+      $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindowsx64 -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi
   - description: |
       Check if the user is logged into Azure.
     prereq_command: |
-      az account show
+      try {if (-not (Get-AzContext)) { exit 1 } else { exit 0 }} catch {exit 1}
     get_prereq_command: |
-      echo Configure your Azure account using: az login. 
+      echo "* Configure your Azure account using: Connect-AzAccount"
   - description: |
       Create dependency resources using terraform
+
+      * If fail to meet prereq, navigate to T1078.004-2 using "cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
+      * Open the "terraform.tfvars" file and fill in the variables with your desired values.
+      * Re-run -GetPrereqs
     prereq_command: |
       try {if (Test-Path "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
     get_prereq_command: |
+      echo "Navigating to: $PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
       cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
       terraform init
       terraform apply -auto-approve
   executor:
     command: |
-      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
-      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
-      Connect-AzAccount -Credential $creds
       New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}
     name: powershell
     elevation_required: false
     cleanup_command: |
       Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
+      Remove-AzAutomationAccount -ResourceGroupName "MarkResourceGroup" -Name "MarkAutomationAccountName" -Force
+      Remove-AzResourceGroup -Name "MarkResourceGroup" -Force
+      echo "Cleanup should be completed. Run 'terraform destroy` to ensure remaining resources are also deleted."
       cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
       terraform destroy -auto-approve
 - name: GCP - Create Custom IAM Role

diff --git a/atomics/T1078.004/src/T1078.004-2/terraform.tfvars b/atomics/T1078.004/src/T1078.004-2/terraform.tfvars
@@ -1,3 +1,3 @@
-automation_account_name = ""
-resource_group          = ""
-runbook_name            = ""
+automation_account_name = "ART-AutomationAccountName-T1078-004"
+resource_group          = "ART-ResourceGroupName-T1078-004"
+runbook_name            = "ART-RunbookName-T1078-004"