diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md
index 27d4361a..04670a13 100644
--- a/atomics/T1124/T1124.md
+++ b/atomics/T1124/T1124.md
@@ -22,7 +22,7 @@ Identify the system time
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| computer_name | computer name to query | string | computer1|
+| computer_name | computer name to query | string | localhost|
#### Run it with `command_prompt`!
```
diff --git a/atomics/T1136/T1136.md b/atomics/T1136/T1136.md
index 003ce30b..18e7d6de 100644
--- a/atomics/T1136/T1136.md
+++ b/atomics/T1136/T1136.md
@@ -39,12 +39,16 @@ Create a user via useradd
| username | Username of the user to create | String | evil_user|
| comment | Comment to record when creating the user | String | Evil Account|
-#### Run it with `bash`!
+#### Run it with `bash`! Elevation Required (e.g. root or admin)
```
-useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
+useradd -M -N -r -s /bin/bash -c evil_account #{username}
```
+#### Cleanup Commands:
+```
+userdel #{username}
+```
@@ -61,7 +65,7 @@ Creates a user on a MacOS system with dscl
| username | Username of the user to create | String | evil_user|
| realname | 'realname' to record when creating the user | String | Evil Account|
-#### Run it with `bash`!
+#### Run it with `bash`! Elevation Required (e.g. root or admin)
```
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
@@ -72,6 +76,10 @@ dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
```
+#### Cleanup Commands:
+```
+dscl . -delete /Users/#{username}
+```
@@ -85,14 +93,18 @@ Creates a new user in a command prompt
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| username | Username of the user to create | String | Evil Account|
+| username | Username of the user to create | String | T1136_CMD|
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin)
```
-net user /add #{username}
+net user /add "#{username}"
```
+#### Cleanup Commands:
+```
+net user /del "#{username}"
+```
@@ -106,15 +118,18 @@ Creates a new user in PowerShell
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| username | Username of the user to create | String | Evil Account|
+| username | Username of the user to create | String | T1136_PowerShell|
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
-New-LocalUser -Name #{username} -NoPassword
-net user /add #{username}
+New-LocalUser -Name "#{username}" -NoPassword
```
+#### Cleanup Commands:
+```
+Remove-LocalUser -Name "#{username}"
+```
@@ -131,12 +146,16 @@ Creates a new user in Linux and adds the user to the `root` group. This techniqu
| username | Username of the user to create | String | butter|
| password | Password of the user to create | String | BetterWithButter|
-#### Run it with `bash`!
+#### Run it with `bash`! Elevation Required (e.g. root or admin)
```
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
```
+#### Cleanup Commands:
+```
+userdel #{username}
+```
diff --git a/atomics/index.yaml b/atomics/index.yaml
index c072ea49..92d07922 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -1302,7 +1302,11 @@ persistence:
default: Evil Account
executor:
name: bash
- command: 'useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
+ elevation_required: true
+ command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username}
+
+'
+ cleanup_command: 'userdel #{username}
'
- name: Create a user account on a MacOS system
@@ -1322,6 +1326,7 @@ persistence:
default: Evil Account
executor:
name: bash
+ elevation_required: true
command: |
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
@@ -1329,6 +1334,9 @@ persistence:
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
+ cleanup_command: 'dscl . -delete /Users/#{username}
+
+'
- name: Create a new user in a command prompt
description: 'Creates a new user in a command prompt
@@ -1339,11 +1347,14 @@ persistence:
username:
description: Username of the user to create
type: String
- default: Evil Account
+ default: T1136_CMD
executor:
name: command_prompt
elevation_required: true
- command: 'net user /add #{username}
+ command: 'net user /add "#{username}"
+
+'
+ cleanup_command: 'net user /del "#{username}"
'
- name: Create a new user in PowerShell
@@ -1356,13 +1367,16 @@ persistence:
username:
description: Username of the user to create
type: String
- default: Evil Account
+ default: T1136_PowerShell
executor:
name: powershell
elevation_required: true
- command: |
- New-LocalUser -Name #{username} -NoPassword
- net user /add #{username}
+ command: 'New-LocalUser -Name "#{username}" -NoPassword
+
+'
+ cleanup_command: 'Remove-LocalUser -Name "#{username}"
+
+'
- name: Create a new user in Linux with `root` UID and GID.
description: 'Creates a new user in Linux and adds the user to the `root` group.
This technique was used by adversaries during the Butter attack campaign.
@@ -1381,9 +1395,13 @@ persistence:
default: BetterWithButter
executor:
name: bash
- command: |-
+ elevation_required: true
+ command: |
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
+ cleanup_command: 'userdel #{username}
+
+'
T1038:
technique:
x_mitre_permissions_required:
@@ -17981,7 +17999,7 @@ discovery:
computer_name:
description: computer name to query
type: string
- default: computer1
+ default: localhost
executor:
name: command_prompt
elevation_required: false