Generate docs from job=validate_atomics_generate_docs branch=master

2020-07-17 15:15:59 +00:00
parent 0ba89c3b52
commit 126e8b1c05
8 changed files with 94 additions and 0 deletions
@@ -402,6 +402,7 @@ defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1
 defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
 impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
+impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
 impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
@@ -243,6 +243,7 @@ persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence -
 persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
 impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
+impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
 impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
@@ -766,6 +766,7 @@
 - [T1531 Account Access Removal](../../T1531/T1531.md)
  - Atomic Test #1: Change User Password - Windows [windows]
  - Atomic Test #2: Delete User - Windows [windows]
+  - Atomic Test #3: Remove Account From Domain Admin Group [windows]
 - T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1485 Data Destruction](../../T1485/T1485.md)
@@ -487,6 +487,7 @@
 - [T1531 Account Access Removal](../../T1531/T1531.md)
  - Atomic Test #1: Change User Password - Windows [windows]
  - Atomic Test #2: Delete User - Windows [windows]
+  - Atomic Test #3: Remove Account From Domain Admin Group [windows]
 - T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1485 Data Destruction](../../T1485/T1485.md)
@@ -33164,6 +33164,43 @@ impact:
 '
        name: command_prompt
        elevation_required: true
+    - name: Remove Account From Domain Admin Group
+      auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947
+      description: 'This test will remove an account from the domain admins group
+
+'
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Requires the Active Directory module for powershell to be installed.
+        prereq_command: if(Get-Module -ListAvailable -Name ActiveDirectory) {exit
+          0} else {exit 1}
+        get_prereq_command: Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+      input_arguments:
+        super_user:
+          description: Account used to run the execution command (must include domain).
+          type: string
+          default: domain\super_user
+        super_pass:
+          description: super_user account password.
+          type: string
+          default: password
+        remove_user:
+          description: Account to remove from domain admins.
+          type: string
+          default: remove_user
+      executor:
+        command: |
+          $PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
+          if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
+            Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
+          } else{
+              write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
+          }
+        name: powershell
+        elevation_required: false
  T1499.003:
    technique:
      external_references:
@@ -10,6 +10,8 @@ Adversaries may also subsequently log off and/or reboot boxes to set malicious c

 - [Atomic Test #2 - Delete User - Windows](#atomic-test-2---delete-user---windows)

+- [Atomic Test #3 - Remove Account From Domain Admin Group](#atomic-test-3---remove-account-from-domain-admin-group)
+

 <br/>

@@ -100,4 +102,53 @@ net user #{user_account} #{new_user_password} /add



+<br/>
+<br/>
+
+## Atomic Test #3 - Remove Account From Domain Admin Group
+This test will remove an account from the domain admins group
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| super_user | Account used to run the execution command (must include domain). | string | domain&#92;super_user|
+| super_pass | super_user account password. | string | password|
+| remove_user | Account to remove from domain admins. | string | remove_user|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
+if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
+  Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
+} else{
+    write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
+}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Requires the Active Directory module for powershell to be installed.
+##### Check Prereq Commands:
+```powershell
+if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+```
+
+
+
+
 <br/>
@@ -63,6 +63,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Remove Account From Domain Admin Group
+  auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947
  description: |
    This test will remove an account from the domain admins group
  supported_platforms:
@@ -549,3 +549,4 @@ d9841bf8-f161-4c73-81e9-fd773a5ff8c1
 315f4be6-2240-4552-b3e1-d1047f5eecea
 a123ce6a-3916-45d6-ba9c-7d4081315c27
 a90c2f4d-6726-444e-99d2-a00cd7c20480
+43f71395-6c37-498e-ab17-897d814a0947