From 3c22d0867e4b73f6f92e15410ecb5b0c41e24486 Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Wed, 8 Feb 2023 14:19:07 +0530 Subject: [PATCH 1/3] Added 3 new testings - macOS 3 new tests to add a new account and enable admin privileges --- atomics/T1078.003/T1078.003.yaml | 39 ++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml index f219e9cd..ec77a9ea 100644 --- a/atomics/T1078.003/T1078.003.yaml +++ b/atomics/T1078.003/T1078.003.yaml @@ -42,6 +42,45 @@ atomic_tests: sudo dscl . -delete /Users/AtomicUser name: bash elevation_required: true + +- name: Create local account with admin privileges using sysadminctl utility - MacOS + description: After execution the new account will be active and added to the Administrators group + supported_platforms: + - macos + executor: + command: |- + sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin + cleanup_command: |- + sysadminctl interactive -deleteUser art-tester + name: bash + elevation_required: true + +- name: Enable root account using dsenableroot utility - MacOS + description: After execution the current or new user will have root access + supported_platforms: + - macos + executor: + command: |- + dsenableroot #current user + dsenableroot -u art-tester -p art-tester -r art-root #new user + cleanup_command: |- + dsenableroot -d #current user + dsenableroot -d -u art-tester -p art-tester #new user + name: bash + elevation_required: true + +- name: Add a new/existing user to the admin group - macOS + description: After execution the current or new user will be added to the Admin group + supported_platforms: + - macos + executor: + command: |- + dseditgroup -o edit -a art-user -t user admin + cleanup_command: |- + dseditgroup -o edit -d art-user -t user admin + name: bash + elevation_required: true + - name: WinPwn - Loot local Credentials - powerhell kittie auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912 description: Loot local Credentials - powerhell kittie technique via function of WinPwn From 424bb247a06482cc2b81881439b7306a6d027272 Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Wed, 8 Feb 2023 14:23:24 +0530 Subject: [PATCH 2/3] Update T1078.003.yaml --- atomics/T1078.003/T1078.003.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml index ec77a9ea..e699bb3a 100644 --- a/atomics/T1078.003/T1078.003.yaml +++ b/atomics/T1078.003/T1078.003.yaml @@ -56,7 +56,7 @@ atomic_tests: elevation_required: true - name: Enable root account using dsenableroot utility - MacOS - description: After execution the current or new user will have root access + description: After execution the current/new user will have root access supported_platforms: - macos executor: @@ -70,7 +70,7 @@ atomic_tests: elevation_required: true - name: Add a new/existing user to the admin group - macOS - description: After execution the current or new user will be added to the Admin group + description: After execution the current/new user will be added to the Admin group supported_platforms: - macos executor: From 5c17c4668ab9b6df46e8038cba0609650c6562a3 Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Wed, 8 Feb 2023 14:27:12 +0530 Subject: [PATCH 3/3] minor update --- atomics/T1078.003/T1078.003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml index e699bb3a..d26aa4d8 100644 --- a/atomics/T1078.003/T1078.003.yaml +++ b/atomics/T1078.003/T1078.003.yaml @@ -69,7 +69,7 @@ atomic_tests: name: bash elevation_required: true -- name: Add a new/existing user to the admin group - macOS +- name: Add a new/existing user to the admin group using dseditgroup utility - macOS description: After execution the current/new user will be added to the Admin group supported_platforms: - macos