From abb2db6d8a85daa66c22c5cf24c17c0e8fe521ad Mon Sep 17 00:00:00 2001 From: Omar Santos Date: Sun, 5 May 2024 17:02:34 -0400 Subject: [PATCH] Add files via upload --- cloud_resources/omar_saas_attack_example.json | 1237 +++++++++++++++++ cloud_resources/omar_saas_attack_example.svg | 2 + cloud_resources/omar_saas_attack_example.xlsx | Bin 0 -> 8711 bytes 3 files changed, 1239 insertions(+) create mode 100644 cloud_resources/omar_saas_attack_example.json create mode 100644 cloud_resources/omar_saas_attack_example.svg create mode 100644 cloud_resources/omar_saas_attack_example.xlsx diff --git a/cloud_resources/omar_saas_attack_example.json b/cloud_resources/omar_saas_attack_example.json new file mode 100644 index 0000000..de70863 --- /dev/null +++ b/cloud_resources/omar_saas_attack_example.json @@ -0,0 +1,1237 @@ +{ + "name": "Omar's SaaS", + "versions": { + "attack": "15", + "navigator": "5.0.0", + "layer": "4.5" + }, + "domain": "enterprise-attack", + "description": "MITRE ATT&CK TTPs for SaaS implementations", + "filters": { + "platforms": [ + "SaaS", + "Office 365", + "Google Workspace" + ] + }, + "sorting": 0, + "layout": { + "layout": "side", + "aggregateFunction": "average", + "showID": false, + "showName": true, + "showAggregateScores": false, + "countUnscored": false, + "expandedSubtechniques": "all" + }, + "hideDisabled": false, + "techniques": [ + { + "techniqueID": "T1037", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1037", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1557", + "tactic": "credential-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1557", + "tactic": "collection", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1583", + "tactic": "resource-development", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1592", + "tactic": "reconnaissance", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1003", + "tactic": "credential-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1602", + "tactic": "collection", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1543", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1543", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1578", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1069", + "tactic": "discovery", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1114", + "tactic": "collection", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1561", + "tactic": "impact", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1547", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1547", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1600", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1564", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1137", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1071", + "tactic": "command-and-control", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1053", + "tactic": "execution", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1053", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1053", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1562", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1195", + "tactic": "initial-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1558", + "tactic": "credential-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1555", + "tactic": "credential-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1567", + "tactic": "exfiltration", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1036", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1552", + "tactic": "credential-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1055", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1055", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1205", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1205", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1205", + "tactic": "command-and-control", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1218", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1550", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1550", + "tactic": "lateral-movement", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1011", + "tactic": "exfiltration", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1589", + "tactic": "reconnaissance", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1560", + "tactic": "collection", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1021", + "tactic": "lateral-movement", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1596", + "tactic": "reconnaissance", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1491", + "tactic": "impact", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1563", + "tactic": "lateral-movement", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1222", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1595", + "tactic": "reconnaissance", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1548", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1548", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1016", + "tactic": "discovery", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1087", + "tactic": "discovery", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1090", + "tactic": "command-and-control", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1059", + "tactic": "execution", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1020", + "tactic": "exfiltration", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1070", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1568", + "tactic": "command-and-control", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1074", + "tactic": "collection", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1584", + "tactic": "resource-development", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1542", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1542", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1586", + "tactic": "resource-development", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1497", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1497", + "tactic": "discovery", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1102", + "tactic": "command-and-control", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1608", + "tactic": "resource-development", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1480", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1204", + "tactic": "execution", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1591", + "tactic": "reconnaissance", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1606", + "tactic": "credential-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1590", + "tactic": "reconnaissance", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1593", + "tactic": "reconnaissance", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1098", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1098", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1048", + "tactic": "exfiltration", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1597", + "tactic": "reconnaissance", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1566", + "tactic": "initial-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1110", + "tactic": "credential-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1565", + "tactic": "impact", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1559", + "tactic": "execution", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1001", + "tactic": "command-and-control", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1601", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1574", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1574", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1574", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1078", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1078", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1078", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1078", + "tactic": "initial-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1027", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1546", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1546", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1599", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1553", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1573", + "tactic": "command-and-control", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1056", + "tactic": "collection", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1056", + "tactic": "credential-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1499", + "tactic": "impact", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1614", + "tactic": "discovery", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1132", + "tactic": "command-and-control", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1598", + "tactic": "reconnaissance", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1585", + "tactic": "resource-development", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1588", + "tactic": "resource-development", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1569", + "tactic": "execution", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1213", + "tactic": "collection", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1505", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1498", + "tactic": "impact", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1134", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1134", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1136", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1518", + "tactic": "discovery", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1052", + "tactic": "exfiltration", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1484", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1484", + "tactic": "privilege-escalation", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1587", + "tactic": "resource-development", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1556", + "tactic": "credential-access", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1556", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1556", + "tactic": "persistence", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1216", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + }, + { + "techniqueID": "T1127", + "tactic": "defense-evasion", + "color": "", + "comment": "", + "enabled": true, + "metadata": [], + "links": [], + "showSubtechniques": true + } + ], + "gradient": { + "colors": [ + "#ff6666ff", + "#ffe766ff", + "#8ec843ff" + ], + "minValue": 0, + "maxValue": 100 + }, + "legendItems": [], + "metadata": [], + "links": [], + "showTacticRowBackground": false, + "tacticRowBackground": "#dddddd", + "selectTechniquesAcrossTactics": true, + "selectSubtechniquesWithParent": false, + "selectVisibleTechniques": false +} \ No newline at end of file diff --git a/cloud_resources/omar_saas_attack_example.svg b/cloud_resources/omar_saas_attack_example.svg new file mode 100644 index 0000000..adcb0a4 --- /dev/null +++ b/cloud_resources/omar_saas_attack_example.svg @@ -0,0 +1,2 @@ + +aboutOmar's SaaSMITRE ATT&CK TTPs for SaaS implementationsplatformsSaaS, Office 365, Google WorkspaceDrive-byCompromisePhishingTrustedRelationshipValidAccountsSpearphishingLinkSpearphishingVoiceCloudAccountsDefaultAccountsInitialAccessCommandand ScriptingInterpreterServerlessExecutionSoftwareDeploymentToolsCloudAPIExecutionAccountManipulationCreateAccountEvent TriggeredExecutionModifyAuthenticationProcessOfficeApplicationStartupValidAccountsAdditionalCloudCredentialsAdditionalCloud RolesAdditionalEmail DelegatePermissionsDeviceRegistrationCloudAccountConditionalAccessPoliciesHybridIdentityMulti-FactorAuthenticationAdd-insOfficeTemplateMacrosOfficeTestOutlookFormsOutlookHome PageOutlookRulesCloudAccountsDefaultAccountsPersistenceAbuse ElevationControlMechanismAccountManipulationDomain orTenant PolicyModificationEvent TriggeredExecutionValidAccountsTemporaryElevatedCloud AccessAdditionalCloudCredentialsAdditionalCloud RolesAdditionalEmail DelegatePermissionsDeviceRegistrationTrustModificationCloudAccountsDefaultAccountsPrivilegeEscalationAbuse ElevationControlMechanismDomain orTenant PolicyModificationExploitationforDefense EvasionHideArtifactsImpairDefensesImpersonationIndicatorRemovalModifyAuthenticationProcessUse AlternateAuthenticationMaterialValidAccountsTemporaryElevatedCloud AccessTrustModificationEmailHiding RulesDisableor ModifyCloud LogsClearMailbox DataConditionalAccessPoliciesHybridIdentityMulti-FactorAuthenticationApplicationAccess TokenWeb SessionCookieCloudAccountsDefaultAccountsDefenseEvasionBruteForceForge WebCredentialsModifyAuthenticationProcessMulti-FactorAuthenticationRequest GenerationStealApplicationAccess TokenSteal WebSession CookieUnsecuredCredentialsCredentialStuffingPasswordCrackingPasswordGuessingPasswordSprayingSAMLTokensWebCookiesConditionalAccessPoliciesHybridIdentityMulti-FactorAuthenticationChatMessagesCredentialAccessAccountDiscoveryCloud ServiceDashboardCloud ServiceDiscoveryPermissionGroupsDiscoveryCloudAccountEmailAccountCloudGroupsDiscoveryInternalSpearphishingSoftwareDeploymentToolsTaint SharedContentUse AlternateAuthenticationMaterialApplicationAccess TokenWeb SessionCookieLateralMovementAutomatedCollectionData fromCloud StorageData fromInformationRepositoriesEmailCollectionCodeRepositoriesConfluenceSharepointEmailForwardingRuleRemote EmailCollectionCollectionExfiltrationOver AlternativeProtocolExfiltrationOverWeb ServiceTransferData toCloud AccountExfiltrationOver WebhookExfiltrationAccountAccess RemovalEndpoint Denialof ServiceFinancialTheftNetwork Denialof ServiceApplicationExhaustionFloodApplicationor SystemExploitationServiceExhaustionFloodDirectNetworkFloodReflectionAmplificationImpact \ No newline at end of file diff --git a/cloud_resources/omar_saas_attack_example.xlsx b/cloud_resources/omar_saas_attack_example.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..4314e31b54719da9a287328b0d51c76efc7d10df GIT binary patch literal 8711 zcmaiZ1ymJU(>C2L4bt5pE!`~~>d+!B-QC>{3eug@9inu1cS#=s>F_^ZKCk!nzTf}t zwa!^*!906r&Fnohdmd$ZXc#022nYm-XT=4;_@z&XT96PB-(Vmho`L_WBW`QsWMboF zpyqC8;;6^sW^GlGq-gV*4I}tUP;#4D4ndQtTQ%1D85upycN>mZB zYp{FUWGMDZ6p9dQ;9P&c#sPAbNKb6LMOWt{G=T(xz}1DYw7v)uIY>a(obfAUXoqX2 z!Z=bQLC`fEYT5Q|e>CzC>(`V8lf-BAdg}XF$&8w)jmF#10l9?i+%$)?<&f6!5BEw6 zH9Ar}Xb#^&1DH47TaO;zL8FE6GWKS1HiDO!)iFyXIJC7EA zsH&sZNd>j*0;ia$*FW?gKXf&`ys!!)KN!jr#9FvLsDAU3G57#R$3?h&lSui0A_4Y1 zI1*sz|GnVAzYH8qtQ=W?$vj2tEK7EAAN)UgC(IvDScr>5dnEgZr`QZ z$ROktw36ko&~OTUqOu{XkIw53JOPEriJ(MVz{l7heKi|891(~4)=(zs`1U5LA4}7=u0dYRE#2 zer$R_%;i(e_tHv`)9rxYZcs_XsK{aqb@2oHB$t(qj_rQ@v0*NmnfCo4ow366aDVq{ z(1#Gs-5dtx@vnLsbFKG+MVT_=IoS;#%rR95vR9B9&tl3{!2ibRved_&U%#UuKzbebkNR8z~)2gt9gYmp{LHOSKFH+|d0 zmoDK90{No$ZsdZfGDC)02{ZVOVWstqN#o|WH0668S9=_9vjot}bWqSEHP)TP?ndc_ zzqN(mT;mRJC9oNg9}ke95o~kbN{;lE5V)Ui9gzO-jz)WO&`;Mmnwyw7{dr7db6PdU zz-L&S6aoVOU$TEe*nj#nS!>B5T@J%b*dS+9P;^K#jCqLOz$uk!sKF}}QF}p6q!?mp z;O4fLOrBjZkGHL<+_2TmrB%yx<7jD&%BH=PDR$C&48veaO5Xa5({t-AkKO~rZv~ch zXB6|5fxIiFnWyqQy^ZI-qpOog(vRh86O%AYZDs;^JxXb&Btm6W{hfs`>t{5%EmB~D zAKweUzhP1BYJsAzwy0lv{sJ+#qS`EOVa+Z-T@kzVkkdk(BC%UD?7#o#mNf<**Kg&3!k0g#s*4R}gg;dM=il;|Y z@k*aAqt^De(3D?TN7@5!r?ioyexCqOOemt#Ff&U%5MDjLQOmM|yGveoxxkhZM^F$? zn{v*)fK`&%dPbqW6licjaO`o!5M2gTFVX$cqTyaVS7z2^^PWOstL=74E*Ib|xU_CI zR>hQefm;#zHPg`2?m7X_;tV82CikHkUIRxTUeeAdrNFkL{7t{Bs0B2+d`cVAG2*3a z2~_@vOUjBq20Hgckc%T# zAI4#d^PJKTGb4&|HMkiRLcS9}$nW z?R)RXUVj>MQv1o#{ktvnLV=pa@r9)cZ*>hU_#-agi=Y zdznv7lMNIorb1FR*H}1{$^MAjvnxZz*B&>Qi4+IL&>?%cDri|Ldx-t~intiVN0AYh z9!3p>WM$d|EV6y2egU)VH8xCO?EU&Jq?RTMa{q0A)pZ+dhE#{s>wT8z3H^{bA3wZG zt&FXM4#7<#r7)FX-&HwcG6x_q2m_2@P98hOdf>^E74U2qvSuU*-WvVG~` z1bIw30{LhZ9@c~DzXW&-e1Xz`_kw9XmzbTq1{blU=8q&4i1@+VRZrLxk z`C+l>ud`^NVo|+on3~?l(jnXI8Vv?SzBGK>1r0GPd}s7fAB=S@#i)+@k$J{5KLy#Q zfm}2iAKOOFC?L(QStONSbmURj(3?x5b_PRDXkHQyWb}5Snp*hmK9fH1b1EvxNXVwj z=dQc0-1NLAZ18(0lOg6@<6TD*qLrZ+0%_;Ht_G-%+=qIb3lD_Mx4tP(F0Jduv>g=rD)@u_X>%Np zt{3?>GoAsGdtVPI*lT^W>`WeyhgJSkuTn`~srh<2!7)ADVE*j$#%y28EwF#uXb7jT z(`h?_sMBsIAkx4oU#N=h!gV_-l2x$z$l=1xp{M6gPwSFaA)xX@4PHnGaSdK?2NUVw zhsGc#Tl-PT6ed!fWgO`g9gM!+fyc+Z!kasNUg0I!S8qv-Urlh^_PkYHal7RnyXz`u@z^oLnSc zjZ$?piT9%uAC@u4X!3$yY$i7ko^MRh`Q$dBHs^36b9wJ@yOHs0+b8v{O6h{D3xlod zA-U50yKXLm57<_W`==jQqV=q0cPpvRl1Y4<+wP5YWlf|gwtC$J?(S0K&7*EV=4kyG z*x506*qPoQe3c^QPF?@blz`8b>oT#-o_Ajf?_&}d$pk5>KuG=vX>RQ2S{J#T$1+U1 zH1!I4S*oJFU7M0E-KWC8)g|=>YmE1DR80zT=y|7<~9!O-nt~D5TPQO zZgEmGii9&3nPuPj&OrBVTlnO>E8LL2imVlk+ppV9Af&azX?2~w48_$)G#0&m!_OY$ zImLaKdJ~%riSYX2UFJIIkwiF>j>*PCivqPIG(YiVS5?X`wy0Gqv`@HIwg~u?&~@{` zP!zUY9E-NQ)gAE}31WMPMgdiNSUGAuh{FzxvU}P&#^PbMf^q{vU2xHF4SSj}lG)%( zFsyn)q9pob%hemC@3u>owQ2^r8~g<_YTS}WA6^q3yfPgN$HsG0N3U+&{rn>?rTfF% zk-PDpH(!WTzv+6=BXR0yZ7k*qxvDhx5I@T6V6v&%Thm0#?}h~i4_IpCNDKtY?Y`;X zsjGBG$KGS09!K_FHQ&AGyjtViImwtu>*W)*Qt5+ALqSFINE^2oDe=OC2?^z;`~(kY zOQfb1&_!~}V#JNl6nzzD45C$VSdWLz{=9AY)p^>-7vQl*ddfVi@Xw&MW4B2 zg|w278{F75%GKjqGUMOYgf9dj%6h|t#D|K4H0YJI^4^2jc2BL z&YhXfL>qGAacj4hgYD>Uu5WMIT(Z)x z0P~6-r)I(jk1$)ukjuX<^D%L7NaDrkUPG}s1HpJNzje<=OP0`WnJGy(_ z@VWa!CS#;oce-~C$6YD!0e(4bNi;&Vo$^VC;i5%)zZ0T7ulNe;5!#DrKL1%YkD-qh zgU@w>BI)iO-&GXvz3Q$L6GxB!-uf_`i@?^QJn%Y|2<#J+}&KwDd0vkw*|ucm4zARc+o-Vv_! z2>&Z*{jcv6Cvy{PlfR!aPpQo%oo$UA+)@*OTk4Lzf8Tq>I5G>dPrOl;r5_lB+S=3gPdFxO^9e>>Uf;+AS zeyiu>omHB%q4eo*KhUfwlkxFVTnK>h)~={63_9(JIhBUqlE=`|-mkcO&E z(4dabe0YKRMILIDOFTK@=q!LO5wm143gwiN1jU;O=mCjrZ&vH^wXD z<~Ee|$IZ!$?^ov_1L23305a##q{66@ zh$vulk=w!>A~t{FJ9IF-+;_=Uy0XB!!MW{`fIl(xGFMyE0q#6fg)A3J<+S@HDXf@O zeVeDnRH1Y4Lq}jgB>`whfY6*_Q@zT^#UonYr9r>Qr!+BL$t7nRpEjo~_n;ShiLRXb zA}_$&0T?0{{Mr;-4oIKIb1JbhZpDT69<4o4{WYhPFT*lmy&ypH3UR9#gh?Nr@A*cX z=)8QHH@?XF@=nZbE#P<* zs1o_mhIQ@la%wFQ?t-W`X!5MnYBN>w-WumoNV{>i-1?zEQx2&N{hQI?d`B9GgLGkr zen9#vgz3~ol;$$wCIpFNfk{5=H!D9F%`5=U5j-!P-i2B;tK&_F1beETNp&eszNQh< z;}}iGCI_-xxl2>(D35&OvKWB>yNRsc3(T69!QJ}vvht$&Warroq>NDuerv%`$~p+N z2A0!vge9K zxp^`5C!EB{&AcZ-Bi@iMBm6*x_ndUY_r*rd4Cl_li+bOE+9~!AxQZ5UYBGT`_0cAA zSZ1IIRu77i_>d{N00)&!{MPZ(2F|66A1k$HbEO!!Fq&rdL_X^|B3Tx=0>8hIvlizaOYe zHTI|HM!-FeXU|==uii#h8TGkHBPF=x5R|1uvT?+*=^f`T3|IpO8`yE5M_P1ctq4SO zyekwoF(zQMtv{cy-dk4D9Y~CzOFQ?vpsTD40AWiyd%eXzpI_*`r|Oei*ME#8$#1Ek zzS`~lRd}8%ifD1?PJw_CO={jB!yZ5 zC!oM4O^xPwh6)XMA-(+$jr+J0#7|09a5y`0411U932N@Uj2=01V1@NCF5K4c;cfcH z{)SpAZn#Axx3r5NsJzqF^9SQQ|(2qhD$w%531+b)2*LS*CDm zDS9%b5|(ZSUOX+=n~lRzCnq2iCtiT7WxBZ?0+4(Dq3Ec27V$ksnu~&nCy6Qsrf@l) zP}Yw20#<=XkyTWNQjy(l_IJ%>UOZyiXIxnY+U9{wNpH|-{8R^eAO!&%36RA>RfKWG z4Y^RAGa|}6bc=Ahs$Fv-FXN_h4%VFE)x;6eSR`JVq7IwcL8TBR`}wEc94Pzo!?pv? zHSB%ER`ER$J{PAdqbj>rD8jWbXpn5;rj5Z2F;n4pEVN7<1n?HsSDl}0_3leCG7y`j zpGGLC)jLNW<0^f{;Ve28995ljht(dPYU9B%r>W|sf3~?w?KKdaene=KMOmL1Ue~A< zwIOF`J+8E2oMxe@N)*#Mrr~&Ho>yx=AtZd(ne@CZ?zz)K7;Z3c6KiPzqooS0%VqL9 z5w%t;Y#rBx2GJubV1*|U>Qm{*h@*2J<~`Pk7O77s2@L|y+{BLyNS{?<&8)w4s&QU} zB4nl_+I@T{kEOAjhuC{bR~#ulYGz-uFllz~Ijs+0>LqIGAFgH;>)@&FDvV2!dyc7uJ1-RAB^1-gI4DaqS`n7Bv+}l zncB_W+JP*I;iR{7!XD@wM44T?$506t^kjpak=EU7uD~cyDdx^a;kcDKAw=m%b?j?> zj&IPmytziU0)!I!Sg;!ooVv>rveQ!}88_ce^U`11_Q!Y(*{bo1m0W$?AZ!9SJl+6cgV(@LNbf zYj9Xg7uqI8z4gH~i<3wRiq6KtqIsLkZL_%iroa#j%n5>Z@XY%xl$$R5g()3H#-dQK z)12kI?V|1EtBMJc{e*+jz4hF(@RcLZ2EcGS2Z6P+Fub^DvMf96j+A(0nQ{4Bb4s~W zv3{K(LsLsOa)yPe8fitAD)Yzuk_^X7A__Enq*ZaY*Wskbp>Mh?VzH<5z(Z=$e7YWq z7`w_0qjRmDJTiaPoOc0KUWC=0({Jw8Ka!98VtqaDHi8oxax+2Wf-~|zp*VN zJrd9Iy}4%ietPYTrrSIksHlqbtOXibhq&(9t;LaQ+f_j;+~=+NSF+6(WUrI;-+H8k z$2HRXn!`VoLbmoC6uYnBr)+P0!&LLB?iVsyXd;qUib&1S^o9Ht>!&>E?-1{301o07 zI2U66Gl)jE4kmv^5ikU1RxsMmapFNGiMSXN77UOF;c_zA{!Ij)>1i|#CbqKYSG=(_ z6?=#Sp&1#cZlp?hp*09TpZH5=K6EFB!DKh#0(KnF8uUY4sqFfbUI%Ni(Q@(D^j89G zuqv6`fYzUKVes52cd%@BjU&ymyvCeiXNrl1Jc@o`0gfM`yHl8tpR#sTDc z(T3)5(vvz!Lcp|kW^L#$dTiwYG3hN?1!?90=9L~~X2)D6>RC7zx!CP&AznU&veGoQ zT8)Fl*!{kPn|f=mq*4ML_=JK0+GQwl>sp?A)fND~-~g9^921%4l=mKG8$*WVnY+{xhbHx$3}{Ne$ky%p6ly6!N)-lVVJFWwubp&XZ`EQ{~wD$AU?p20e5# zDB;BX^!0f6EJ2})RH}5TsYAAwQ!~NnL^?Ust1QJ4vn%N@HNM+xG17q@owdI2AE5p- z8VoFgqBh`Ygn*-g{#2Fz$-qP>$lHEqL+JzEVXL4`x%hDl@JNYzvLPy_@m8&fABail z%K=E%d~D=t6g7WmS|8 z-<=!}VLP2;vr>_PwADx=RInl=!Hz8!I?6|8R*bZ?OS|*l=l}dRG%Q+;Bh!+OT3aDS z$4GFE?&!8Vgqfi6$GA38I`pN8N=&UK&=UC50 zgO#)!*5$Gr2B(kMDR!`0u%0K_KacVMY41;l?P>i~PY<4Hg7^6kzU`OkPf6@g#_bmx0z&;? z*x&ryZ;w6g^5^{Y_bwygLjbnmU(?jzJN#cR^atN&@D9Ib8~SY04{~iga7~l literal 0 HcmV?d00001