Skip to content

Latest commit

 

History

History
132 lines (75 loc) · 3.94 KB

T1531.md

File metadata and controls

132 lines (75 loc) · 3.94 KB

T1531 - Account Access Removal

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)

Atomic Tests


Atomic Test #1 - Change User Password - Windows

Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with the password "HuHuHUHoHo283283".

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
user_account User account whose password will be changed. string AtomicAdministrator
new_user_password Password to use if user account must be created first string User2ChangePW!
new_password New password for the specified account. string HuHuHUHoHo283283@dJD

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} #{new_password}

Cleanup Commands:

net.exe user #{user_account} /delete >nul 2>&1


Atomic Test #2 - Delete User - Windows

Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
new_user_password Password to use if user account must be created first string User2DeletePW!
user_account User account to be deleted. string AtomicUser

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} /delete


Atomic Test #3 - Remove Account From Domain Admin Group

This test will remove an account from the domain admins group

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
super_user Account used to run the execution command (must include domain). string domain\super_user
super_pass super_user account password. string password
remove_user Account to remove from domain admins. string remove_user

Attack Commands: Run with powershell!

$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
  Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
} else{
    write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
}

Dependencies: Run with powershell!

Description: Requires the Active Directory module for powershell to be installed.
Check Prereq Commands:
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} 
Get Prereq Commands:
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"