Generate docs from job=validate_atomics_generate_docs branch=master

atomics/T1531/T1531.md

@@ -0,0 +1,65 @@
+# T1531 - Account Access Removal
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1531)
+<blockquote>Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
+
+Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Change User Password - Windows](#atomic-test-1---change-user-password---windows)
+
+- [Atomic Test #2 - Delete User - Windows](#atomic-test-2---delete-user---windows)
+
+
+<br/>
+
+## Atomic Test #1 - Change User Password - Windows
+Changes the user password to hinder access attempts. Seen in use by LockerGoga.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| user_account | User account whose password will be changed. | string | Administrator|
+| new_password | New password for the specified account. | string | HuHuHUHoHo283283@dJD|
+
+#### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
+```
+net.exe user #{user_account} #{new_password}
+```
+
+#### Commands to Check Prerequisites:
+```
+net.exe user #{user_account}
+```
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Delete User - Windows
+Deletes a user account to prevent access.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| user_account | User account to be deleted. | string | AtomicUser|
+
+#### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
+```
+net.exe user #{user_account} /delete
+```
+
+#### Commands to Check Prerequisites:
+```
+net.exe user #{user_account} /add
+net.exe user #{user_account} P@$$w0rd
+```
+
+
+<br/>

atomics/index.md

@@ -436,7 +436,9 @@
   - Atomic Test #1: Web Shell Written to Disk [windows]
 
 # impact
-- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1531 Account Access Removal](./T1531/T1531.md)
+  - Atomic Test #1: Change User Password - Windows [windows]
+  - Atomic Test #2: Delete User - Windows [windows]
 - [T1485 Data Destruction](./T1485/T1485.md)
   - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
   - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]

atomics/index.yaml

@@ -13019,30 +13019,23 @@ privilege-escalation:
 
 '
 impact:
-  '':
+  T1531:
     technique:
       x_mitre_data_sources:
-      - Packet capture
-      - Network protocol analysis
+      - Windows event logs
+      - Process command-line parameters
+      - Process monitoring
       x_mitre_permissions_required:
       - User
       - Administrator
       - root
       - SYSTEM
-      name: Transmitted Data Manipulation
-      description: "Adversaries may alter data en route to storage or other systems
-        in order to manipulate external outcomes or hide activity.(Citation: FireEye
-        APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted
-        data, adversaries may attempt to affect a business process, organizational
-        understanding, and decision making. \n\nManipulation may be possible over
-        a network connection or between system processes where there is an opportunity
-        deploy a tool that will intercept and change information. The type of modification
-        and the impact it will have depends on the target transmission mechanism as
-        well as the goals and objectives of the adversary. For complex systems, an
-        adversary would likely need special expertise and possibly access to specialized
-        software related to the system that would typically be gained through a prolonged
-        information gathering campaign in order to have the desired impact."
-      id: attack-pattern--cc1e737c-236c-4e3b-83ba-32039a626ef8
+      name: Account Access Removal
+      description: |-
+        Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
+
+        Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
+      id: attack-pattern--b24e2a20-3b3d-4bf0-823b-1ed765398fb0
       x_mitre_platforms:
       - Linux
       - macOS
@@ -13051,33 +13044,80 @@ impact:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_version: '1.0'
       x_mitre_impact_type:
-      - Integrity
+      - Availability
       type: attack-pattern
-      x_mitre_detection: Detecting the manipulation of data as at passes over a network
-        can be difficult without the appropriate tools. In some cases integrity verification
-        checks, such as file hashing, may be used on critical files as they transit
-        a network. With some critical processes involving transmission of data, manual
-        or out-of-band integrity checking may be useful for identifying manipulated
-        data.
+      x_mitre_detection: |-
+        Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
+
+        * Event ID 4723 - An attempt was made to change an account's password
+        * Event ID 4724 - An attempt was made to reset an account's password
+        * Event ID 4726 - A user account was deleted
+        * Event ID 4740 - A user account was locked out
+
+        Alerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      created: '2019-04-09T16:08:20.824Z'
+      created: '2019-10-09T18:48:31.906Z'
       kill_chain_phases:
       - kill_chain_name: mitre-attack
         phase_name: impact
       external_references:
-      - source_name: mitre-attack
-        external_id: T1493
-        url: https://attack.mitre.org/techniques/T1493
-      - source_name: FireEye APT38 Oct 2018
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
-          November 6, 2018.'
-        url: https://content.fireeye.com/apt/rpt-apt38
-      - description: Department of Justice. (2018, September 6). Criminal Complaint
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
-        source_name: DOJ Lazarus Sony 2018
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
-      modified: '2019-06-20T16:56:29.277Z'
-    atomic_tests: []
+      - external_id: T1531
+        source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1531
+      - source_name: CarbonBlack LockerGoga 2019
+        description: CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat
+          Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.
+        url: https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/
+      - description: Harbison, M.. (2019, March 26). Born This Way? Origins of LockerGoga.
+          Retrieved April 16, 2019.
+        source_name: Unit42 LockerGoga 2019
+        url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
+      modified: '2019-10-14T23:29:24.908Z'
+      identifier: T1531
+    atomic_tests:
+    - name: Change User Password - Windows
+      description: 'Changes the user password to hinder access attempts. Seen in use
+        by LockerGoga.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        user_account:
+          description: User account whose password will be changed.
+          type: string
+          default: Administrator
+        new_password:
+          description: New password for the specified account.
+          type: string
+          default: HuHuHUHoHo283283@dJD
+      executor:
+        name: command_prompt
+        elevation_required: true
+        prereq_command: 'net.exe user #{user_account}
+
+'
+        command: 'net.exe user #{user_account} #{new_password}
+
+'
+    - name: Delete User - Windows
+      description: 'Deletes a user account to prevent access.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        user_account:
+          description: User account to be deleted.
+          type: string
+          default: AtomicUser
+      executor:
+        name: command_prompt
+        elevation_required: true
+        prereq_command: |
+          net.exe user #{user_account} /add
+          net.exe user #{user_account} P@$$w0rd
+        command: 'net.exe user #{user_account} /delete'
   T1485:
     technique:
       x_mitre_data_sources:
@@ -13225,6 +13265,65 @@ impact:
       executor:
         name: bash
         command: dd of=#{file_to_overwrite} if=#{overwrite_source}
+  '':
+    technique:
+      x_mitre_data_sources:
+      - Packet capture
+      - Network protocol analysis
+      x_mitre_permissions_required:
+      - User
+      - Administrator
+      - root
+      - SYSTEM
+      name: Transmitted Data Manipulation
+      description: "Adversaries may alter data en route to storage or other systems
+        in order to manipulate external outcomes or hide activity.(Citation: FireEye
+        APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted
+        data, adversaries may attempt to affect a business process, organizational
+        understanding, and decision making. \n\nManipulation may be possible over
+        a network connection or between system processes where there is an opportunity
+        deploy a tool that will intercept and change information. The type of modification
+        and the impact it will have depends on the target transmission mechanism as
+        well as the goals and objectives of the adversary. For complex systems, an
+        adversary would likely need special expertise and possibly access to specialized
+        software related to the system that would typically be gained through a prolonged
+        information gathering campaign in order to have the desired impact."
+      id: attack-pattern--cc1e737c-236c-4e3b-83ba-32039a626ef8
+      x_mitre_platforms:
+      - Linux
+      - macOS
+      - Windows
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.0'
+      x_mitre_impact_type:
+      - Integrity
+      type: attack-pattern
+      x_mitre_detection: Detecting the manipulation of data as at passes over a network
+        can be difficult without the appropriate tools. In some cases integrity verification
+        checks, such as file hashing, may be used on critical files as they transit
+        a network. With some critical processes involving transmission of data, manual
+        or out-of-band integrity checking may be useful for identifying manipulated
+        data.
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      created: '2019-04-09T16:08:20.824Z'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: impact
+      external_references:
+      - source_name: mitre-attack
+        external_id: T1493
+        url: https://attack.mitre.org/techniques/T1493
+      - source_name: FireEye APT38 Oct 2018
+        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+          November 6, 2018.'
+        url: https://content.fireeye.com/apt/rpt-apt38
+      - description: Department of Justice. (2018, September 6). Criminal Complaint
+          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+        source_name: DOJ Lazarus Sony 2018
+        url: https://www.justice.gov/opa/press-release/file/1092091/download
+      modified: '2019-06-20T16:56:29.277Z'
+    atomic_tests: []
   T1490:
     technique:
       x_mitre_data_sources:

atomics/linux-index.md

@@ -40,7 +40,7 @@
 - [T1100 Web Shell](./T1100/T1100.md)
 
 # impact
-- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1531 Account Access Removal](./T1531/T1531.md)
 - [T1485 Data Destruction](./T1485/T1485.md)
   - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu]
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/macos-index.md

@@ -57,7 +57,7 @@
 - [T1100 Web Shell](./T1100/T1100.md)
 
 # impact
-- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1531 Account Access Removal](./T1531/T1531.md)
 - [T1485 Data Destruction](./T1485/T1485.md)
   - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu]
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/windows-index.md

@@ -295,7 +295,9 @@
   - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
 
 # impact
-- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1531 Account Access Removal](./T1531/T1531.md)
+  - Atomic Test #1: Change User Password - Windows [windows]
+  - Atomic Test #2: Delete User - Windows [windows]
 - [T1485 Data Destruction](./T1485/T1485.md)
   - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
   - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]