Added BH badge and refreshed notebooks

Author: Cyb3rWard0g

README.md

@@ -1,6 +1,7 @@
 # Cloud Katana
 
 [![Jupyter Book Badge](https://jupyterbook.org/badge.svg)](https://cloud-katana.com)
+[![BlackHat Arsenal 2021](https://raw.githubusercontent.com/toolswatch/badges/master/arsenal/usa/2021.svg)](https://www.blackhat.com/us-21/arsenal/schedule/#cloud-katana-24120)
 
 <p align="center">
   <a href="#about">About</a> •

docs/intro.md

@@ -1,5 +1,8 @@
 # Cloud Katana
 
+[![Jupyter Book Badge](https://jupyterbook.org/badge.svg)](https://cloud-katana.com)
+[![BlackHat Arsenal 2021](https://raw.githubusercontent.com/toolswatch/badges/master/arsenal/usa/2021.svg)](https://www.blackhat.com/us-21/arsenal/schedule/#cloud-katana-24120)
+
 Unlocking Serverless Computing to Assess Security Controls
 
 ![](images/KatanaDesign.png)

docs/simulate/azure/collection/get_my_mailbox_messages.md

@@ -66,7 +66,7 @@ endpoint = function_app_url + "/api/orchestrators/Orchestrator"
 ### Prepare HTTP Body
 
 ```python
-data = [{'RequestId': '0cef806d-3d1c-4552-8905-173463012e8a', 'name': 'Get My Mailbox Messages', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor could get messages from the mailbox of the current user session via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1114.002', 'tactics': ['TA0009']}]}, 'steps': [{'schema': 'atomic', 'id': '24d6a76e-8bb9-4f95-9c52-03eaa1cf6b66', 'name': 'Get My Mailbox Messages', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor could get messages from the mailbox of the current user session via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1114.002', 'tactics': ['TA0009']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'delegated', 'permissions': ['Mail.Read']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKMyMailboxMessages'}, 'parameters': {'mailFolder': 'Inbox', 'selectFields': 'subject,sender,from,toRecipients,ccRecipients,replyTo,sentDateTime,id,hasAttachments,importance,bodyPreview,isRead,body,parentFolderId', 'pageSize': 10, 'orderBy': 'receivedDateTime', 'sortBy': 'desc'}}, 'number': 1}]}]
+data = [{'RequestId': '1474ab92-9870-4f9c-a2eb-2915dfd3f590', 'name': 'Get My Mailbox Messages', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor could get messages from the mailbox of the current user session via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1114.002', 'tactics': ['TA0009']}]}, 'steps': [{'schema': 'atomic', 'id': '24d6a76e-8bb9-4f95-9c52-03eaa1cf6b66', 'name': 'Get My Mailbox Messages', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor could get messages from the mailbox of the current user session via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1114.002', 'tactics': ['TA0009']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'delegated', 'permissions': ['Mail.Read']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKMyMailboxMessages'}, 'parameters': {'mailFolder': 'Inbox', 'selectFields': 'subject,sender,from,toRecipients,ccRecipients,replyTo,sentDateTime,id,hasAttachments,importance,bodyPreview,isRead,body,parentFolderId', 'pageSize': 10, 'orderBy': 'receivedDateTime', 'sortBy': 'desc'}}, 'number': 1}]}]
 ```
 
 ### Send HTTP Request

docs/simulate/azure/collection/get_user_mailbox_messages.md

@@ -66,7 +66,7 @@ endpoint = function_app_url + "/api/orchestrators/Orchestrator"
 ### Prepare HTTP Body
 
 ```python
-data = [{'RequestId': 'ea209181-d38d-47a3-b152-c4822e3a9389', 'name': 'Get User Mailbox Messages', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor could get messages from the mailbox of a specific user via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1114.002', 'tactics': ['TA0009']}]}, 'steps': [{'schema': 'atomic', 'id': '8148b643-7e4b-4a3a-b840-07cc28bb8c74', 'name': 'Get User Mailbox Messages', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor could get messages from the mailbox of a specific user via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1114.002', 'tactics': ['TA0009']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['Mail.Read']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKMailboxMessages'}, 'parameters': {'mailFolder': 'Inbox', 'selectFields': 'subject,sender,from,toRecipients,ccRecipients,replyTo,sentDateTime,id,hasAttachments,importance,bodyPreview,isRead,body,parentFolderId', 'pageSize': 10, 'orderBy': 'receivedDateTime', 'sortBy': 'desc'}}, 'number': 1}]}]
+data = [{'RequestId': '1f7e4c02-7b82-4372-903d-5b8ef90d1ee6', 'name': 'Get User Mailbox Messages', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor could get messages from the mailbox of a specific user via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1114.002', 'tactics': ['TA0009']}]}, 'steps': [{'schema': 'atomic', 'id': '8148b643-7e4b-4a3a-b840-07cc28bb8c74', 'name': 'Get User Mailbox Messages', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor could get messages from the mailbox of a specific user via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1114.002', 'tactics': ['TA0009']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['Mail.Read']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKMailboxMessages'}, 'parameters': {'mailFolder': 'Inbox', 'selectFields': 'subject,sender,from,toRecipients,ccRecipients,replyTo,sentDateTime,id,hasAttachments,importance,bodyPreview,isRead,body,parentFolderId', 'pageSize': 10, 'orderBy': 'receivedDateTime', 'sortBy': 'desc'}}, 'number': 1}]}]
 ```
 
 ### Send HTTP Request

docs/simulate/azure/discovery/get_azure_ad_application_metadata.md

@@ -66,7 +66,7 @@ endpoint = function_app_url + "/api/orchestrators/Orchestrator"
 ### Prepare HTTP Body
 
 ```python
-data = [{'RequestId': '30015437-1eaf-4bd6-92a9-46e2a682cd7e', 'name': 'Get Azure AD Application Metadata', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to get metadata from Azure AD Applications via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1087.004', 'tactics': ['TA0007']}]}, 'steps': [{'schema': 'atomic', 'id': '3d4bbcfa-e252-4bc2-ab0d-d8cfc78240a2', 'name': 'Get Azure AD Application Metadata', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to get metadata from Azure AD Applications via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1087.004', 'tactics': ['TA0007']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['Application.Read.All']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKAzADApplication'}, 'parameters': {}}, 'number': 1}]}]
+data = [{'RequestId': '165450c2-b879-44c2-b304-8a6e9670e80f', 'name': 'Get Azure AD Application Metadata', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to get metadata from Azure AD Applications via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1087.004', 'tactics': ['TA0007']}]}, 'steps': [{'schema': 'atomic', 'id': '3d4bbcfa-e252-4bc2-ab0d-d8cfc78240a2', 'name': 'Get Azure AD Application Metadata', 'metadata': {'creationDate': '2021-08-05', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to get metadata from Azure AD Applications via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1087.004', 'tactics': ['TA0007']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['Application.Read.All']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKAzADApplication'}, 'parameters': {}}, 'number': 1}]}]
 ```
 
 ### Send HTTP Request

docs/simulate/azure/discovery/get_azure_ad_directory_roles.md

@@ -66,7 +66,7 @@ endpoint = function_app_url + "/api/orchestrators/Orchestrator"
 ### Prepare HTTP Body
 
 ```python
-data = [{'RequestId': '749bd74f-d42a-458f-98a1-c9ff5f107d80', 'name': 'Get Azure AD Directory Roles', 'metadata': {'creationDate': '2021-08-22', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to list the directory roles that are activated in the tenant via Microsoft Graph APIs and the right permissions. This operation only returns roles that have been activated. A role becomes activated when an admin activates the role using the Activate directoryRole API. Not all built-in roles are initially activated.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'steps': [{'schema': 'atomic', 'id': 'd782c5cf-153c-4588-b153-dc54e35afa7f', 'name': 'Get Azure AD Directory Roles', 'metadata': {'creationDate': '2021-08-22', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to list the directory roles that are activated in the tenant via Microsoft Graph APIs and the right permissions. This operation only returns roles that have been activated. A role becomes activated when an admin activates the role using the Activate directoryRole API. Not all built-in roles are initially activated.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['Directory.Read.All']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKAzADDirectoryRoles'}}, 'number': 1}]}]
+data = [{'RequestId': '27dda4d1-2dd7-476b-b44d-3982ebb4686e', 'name': 'Get Azure AD Directory Roles', 'metadata': {'creationDate': '2021-08-22', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to list the directory roles that are activated in the tenant via Microsoft Graph APIs and the right permissions. This operation only returns roles that have been activated. A role becomes activated when an admin activates the role using the Activate directoryRole API. Not all built-in roles are initially activated.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'steps': [{'schema': 'atomic', 'id': 'd782c5cf-153c-4588-b153-dc54e35afa7f', 'name': 'Get Azure AD Directory Roles', 'metadata': {'creationDate': '2021-08-22', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to list the directory roles that are activated in the tenant via Microsoft Graph APIs and the right permissions. This operation only returns roles that have been activated. A role becomes activated when an admin activates the role using the Activate directoryRole API. Not all built-in roles are initially activated.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['Directory.Read.All']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKAzADDirectoryRoles'}}, 'number': 1}]}]
 ```
 
 ### Send HTTP Request

docs/simulate/azure/discovery/get_azure_ad_groups.md

@@ -66,7 +66,7 @@ endpoint = function_app_url + "/api/orchestrators/Orchestrator"
 ### Prepare HTTP Body
 
 ```python
-data = [{'RequestId': '6bb7bbe9-07dc-498d-a215-9baa8ecd5b12', 'name': 'Get Azure AD Groups', 'metadata': {'creationDate': '2021-08-22', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to list all the groups in an organization, including but not limited to Microsoft 365 groups via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'steps': [{'schema': 'atomic', 'id': 'abef5116-ff37-4347-9e12-3f22babf18e9', 'name': 'Get Azure AD Groups', 'metadata': {'creationDate': '2021-08-22', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to list all the groups in an organization, including but not limited to Microsoft 365 groups via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['Group.Read.All']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKAzADGroups'}, 'parameters': {}}, 'number': 1}]}]
+data = [{'RequestId': 'c902d927-621d-438a-af32-e4399cc2d294', 'name': 'Get Azure AD Groups', 'metadata': {'creationDate': '2021-08-22', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to list all the groups in an organization, including but not limited to Microsoft 365 groups via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'steps': [{'schema': 'atomic', 'id': 'abef5116-ff37-4347-9e12-3f22babf18e9', 'name': 'Get Azure AD Groups', 'metadata': {'creationDate': '2021-08-22', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to list all the groups in an organization, including but not limited to Microsoft 365 groups via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['Group.Read.All']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKAzADGroups'}, 'parameters': {}}, 'number': 1}]}]
 ```
 
 ### Send HTTP Request

docs/simulate/azure/discovery/get_azure_ad_oauth_permission_grants.md

@@ -66,7 +66,7 @@ endpoint = function_app_url + "/api/orchestrators/Orchestrator"
 ### Prepare HTTP Body
 
 ```python
-data = [{'RequestId': 'f1ef4f49-3f22-4135-8449-f91881098166', 'name': 'Get Azure AD OAuth Permission Grants', 'metadata': {'creationDate': '2021-09-08', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to retrieve a list of oAuth2PermissionGrant objects, representing delegated permissions which have been granted for client applications to access APIs on behalf of signed-in users via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'steps': [{'schema': 'atomic', 'id': 'ccc426f4-7fd7-4014-9886-2d9e97631214', 'name': 'Get Azure AD OAuth Permission Grants', 'metadata': {'creationDate': '2021-09-08', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to retrieve a list of oAuth2PermissionGrant objects, representing delegated permissions which have been granted for client applications to access APIs on behalf of signed-in users via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['DelegatedPermissionGrant.ReadWrite.All']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKOauth2PermissionGrants'}, 'parameters': {}}, 'number': 1}]}]
+data = [{'RequestId': 'e8ba2ca1-73fb-4734-aff5-7f2818be096c', 'name': 'Get Azure AD OAuth Permission Grants', 'metadata': {'creationDate': '2021-09-08', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to retrieve a list of oAuth2PermissionGrant objects, representing delegated permissions which have been granted for client applications to access APIs on behalf of signed-in users via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'steps': [{'schema': 'atomic', 'id': 'ccc426f4-7fd7-4014-9886-2d9e97631214', 'name': 'Get Azure AD OAuth Permission Grants', 'metadata': {'creationDate': '2021-09-08', 'modificationDate': '2021-09-08', 'description': 'A threat actor might want to retrieve a list of oAuth2PermissionGrant objects, representing delegated permissions which have been granted for client applications to access APIs on behalf of signed-in users via Microsoft Graph APIs and the right permissions.\n', 'contributors': ['Roberto Rodriguez @Cyb3rWard0g', 'MSTIC R&D'], 'mitreAttack': [{'technique': 'T1069.003', 'tactics': ['TA0007']}]}, 'authorization': [{'resource': 'https://graph.microsoft.com/', 'permissionsType': 'application', 'permissions': ['DelegatedPermissionGrant.ReadWrite.All']}], 'execution': {'type': 'ScriptModule', 'platform': 'Azure', 'executor': 'PowerShell', 'module': {'name': 'CloudKatanaAbilities', 'version': 1.0, 'function': 'Get-CKOauth2PermissionGrants'}, 'parameters': {}}, 'number': 1}]}]
 ```
 
 ### Send HTTP Request