Generate docs from job=validate_atomics_generate_docs branch=master

2020-08-17 16:10:14 +00:00
parent 6f3085ee17
commit 1427393485
8 changed files with 144 additions and 0 deletions
@@ -82,6 +82,7 @@ persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,9
 persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
+persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -193,6 +193,7 @@ defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1
 defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
 persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
+persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -176,6 +176,7 @@
  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
+  - Atomic Test #2: Domain Account and Group Manipulate [windows]
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.001 Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -374,6 +374,7 @@
  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
+  - Atomic Test #2: Domain Account and Group Manipulate [windows]
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
@@ -8461,6 +8461,65 @@ persistence:
              }
        name: powershell
        elevation_required: true
+    - name: Domain Account and Group Manipulate
+      auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
+      description: "Create a random atr-nnnnnnnn account and add it to a domain group
+        (by default, Domain Admins). \n\nThe quickest way to run it is against a domain
+        controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,\nyou need
+        to install PS Module ActiveDirectory (in prereqs) and run the script with
+        appropriare AD privileges to \ncreate the user and alter the group. Automatic
+        installation of the dependency requires an elevated session, \nand is unlikely
+        to work with Powershell Core (untested).\n\nIf you consider running this test
+        against a production Active Directory, the good practise is to create a dedicated\nservice
+        account whose delegation is given onto a dedicated OU for user creation and
+        deletion, as well as delegated\nas group manager of the target group.\n\nExample:
+        `Invoke-AtomicTest -Session $session 'T1098' -TestNames \"Domain Account and
+        Group Manipulate\" -InputArgs @{\"group\" = \"DNSAdmins\" }`\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        account_prefix:
+          description: |
+            Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
+            a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful.
+          type: String
+          default: atr-
+        group:
+          description: Name of the group to alter
+          type: String
+          default: Domain Admins
+        create_args:
+          description: Additional string appended to New-ADUser call
+          type: String
+          default: ''
+      dependencies:
+      - description: 'PS Module ActiveDirectory
+
+'
+        prereq_command: "Try {\n    Import-Module ActiveDirectory -ErrorAction Stop
+          | Out-Null\n    exit 0\n} \nCatch {\n    exit 1\n}\n"
+        get_prereq_command: |
+          if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+            Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+          } else {
+            Install-WindowsFeature RSAT-AD-PowerShell
+          }
+      executor:
+        command: |
+          $x = Get-Random -Minimum 2 -Maximum 99
+          $y = Get-Random -Minimum 2 -Maximum 99
+          $z = Get-Random -Minimum 2 -Maximum 99
+          $w = Get-Random -Minimum 2 -Maximum 99
+
+          Import-Module ActiveDirectory
+          $account = "#{account_prefix}-$x$y$z"
+          New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
+          Add-ADGroupMember "#{group}" $account
+        cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))"
+          | Remove-ADUser -Confirm:$False
+
+'
+        name: powershell
  T1098.003:
    technique:
      external_references:
@@ -6,6 +6,8 @@

 - [Atomic Test #1 - Admin Account Manipulate](#atomic-test-1---admin-account-manipulate)

+- [Atomic Test #2 - Domain Account and Group Manipulate](#atomic-test-2---domain-account-and-group-manipulate)
+

 <br/>

@@ -45,4 +47,81 @@ foreach($member in $fmm) {



+<br/>
+<br/>
+
+## Atomic Test #2 - Domain Account and Group Manipulate
+Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). 
+
+The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
+you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to 
+create the user and alter the group. Automatic installation of the dependency requires an elevated session, 
+and is unlikely to work with Powershell Core (untested).
+
+If you consider running this test against a production Active Directory, the good practise is to create a dedicated
+service account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated
+as group manager of the target group.
+
+Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }`
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| account_prefix | Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
+a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. | String | atr-|
+| group | Name of the group to alter | String | Domain Admins|
+| create_args | Additional string appended to New-ADUser call | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$x = Get-Random -Minimum 2 -Maximum 99
+$y = Get-Random -Minimum 2 -Maximum 99
+$z = Get-Random -Minimum 2 -Maximum 99
+$w = Get-Random -Minimum 2 -Maximum 99
+
+Import-Module ActiveDirectory
+$account = "#{account_prefix}-$x$y$z"
+New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
+Add-ADGroupMember "#{group}" $account
+```
+
+#### Cleanup Commands:
+```powershell
+Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: PS Module ActiveDirectory
+##### Check Prereq Commands:
+```powershell
+Try {
+    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+    exit 0
+} 
+Catch {
+    exit 1
+} 
+```
+##### Get Prereq Commands:
+```powershell
+if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+} else {
+  Install-WindowsFeature RSAT-AD-PowerShell
+}
+```
+
+
+
+
 <br/>
@@ -29,6 +29,7 @@ atomic_tests:
    elevation_required: true

 - name: Domain Account and Group Manipulate
+  auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
  description: |
    Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). 
    
@@ -565,3 +565,4 @@ b5656f67-d67f-4de8-8e62-b5581630f528
 1620de42-160a-4fe5-bbaf-d3fef0181ce9
 db020456-125b-4c8b-a4a7-487df8afb5a2
 804f28fc-68fc-40da-b5a2-e9d0bce5c193
+a55a22e9-a3d3-42ce-bd48-2653adb8f7a9