From 1663bf7d524b6fc8a9a39104feb2949b36368dfc Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 5 Nov 2019 17:14:33 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1531/T1531.md | 65 ++++++++++++ atomics/art_navigator_layer.json | 2 +- atomics/index.md | 4 +- atomics/index.yaml | 175 ++++++++++++++++++++++++------- atomics/linux-index.md | 2 +- atomics/macos-index.md | 2 +- atomics/windows-index.md | 4 +- 7 files changed, 211 insertions(+), 43 deletions(-) create mode 100644 atomics/T1531/T1531.md diff --git a/atomics/T1531/T1531.md b/atomics/T1531/T1531.md new file mode 100644 index 00000000..24f63f19 --- /dev/null +++ b/atomics/T1531/T1531.md @@ -0,0 +1,65 @@ +# T1531 - Account Access Removal +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1531) +
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. + +Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
+ +## Atomic Tests + +- [Atomic Test #1 - Change User Password - Windows](#atomic-test-1---change-user-password---windows) + +- [Atomic Test #2 - Delete User - Windows](#atomic-test-2---delete-user---windows) + + +
+ +## Atomic Test #1 - Change User Password - Windows +Changes the user password to hinder access attempts. Seen in use by LockerGoga. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| user_account | User account whose password will be changed. | string | Administrator| +| new_password | New password for the specified account. | string | HuHuHUHoHo283283@dJD| + +#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) +``` +net.exe user #{user_account} #{new_password} +``` + +#### Commands to Check Prerequisites: +``` +net.exe user #{user_account} +``` + + +
+
+ +## Atomic Test #2 - Delete User - Windows +Deletes a user account to prevent access. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| user_account | User account to be deleted. | string | AtomicUser| + +#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) +``` +net.exe user #{user_account} /delete +``` + +#### Commands to Check Prerequisites: +``` +net.exe user #{user_account} /add +net.exe user #{user_account} P@$$w0rd +``` + + +
diff --git a/atomics/art_navigator_layer.json b/atomics/art_navigator_layer.json index 004fdb7c..3b7d207b 100644 --- a/atomics/art_navigator_layer.json +++ b/atomics/art_navigator_layer.json @@ -1 +1 @@ -{"version":"2.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1004","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1015","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1028","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1031","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1035","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1038","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1042","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1050","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1060","score":100,"enabled":true},{"techniqueID":"T1062","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1075","score":100,"enabled":true},{"techniqueID":"T1076","score":100,"enabled":true},{"techniqueID":"T1077","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1084","score":100,"enabled":true},{"techniqueID":"T1085","score":100,"enabled":true},{"techniqueID":"T1086","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1088","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1096","score":100,"enabled":true},{"techniqueID":"T1097","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1100","score":100,"enabled":true},{"techniqueID":"T1101","score":100,"enabled":true},{"techniqueID":"T1103","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1117","score":100,"enabled":true},{"techniqueID":"T1118","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1121","score":100,"enabled":true},{"techniqueID":"T1122","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1126","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1128","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1138","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1170","score":100,"enabled":true},{"techniqueID":"T1173","score":100,"enabled":true},{"techniqueID":"T1174","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1179","score":100,"enabled":true},{"techniqueID":"T1180","score":100,"enabled":true},{"techniqueID":"T1183","score":100,"enabled":true},{"techniqueID":"T1191","score":100,"enabled":true},{"techniqueID":"T1193","score":100,"enabled":true},{"techniqueID":"T1196","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1214","score":100,"enabled":true},{"techniqueID":"T1215","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1223","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1501","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true}]} \ No newline at end of file +{"version":"2.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1004","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1015","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1028","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1031","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1035","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1038","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1042","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1050","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1060","score":100,"enabled":true},{"techniqueID":"T1062","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1075","score":100,"enabled":true},{"techniqueID":"T1076","score":100,"enabled":true},{"techniqueID":"T1077","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1084","score":100,"enabled":true},{"techniqueID":"T1085","score":100,"enabled":true},{"techniqueID":"T1086","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1088","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1096","score":100,"enabled":true},{"techniqueID":"T1097","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1100","score":100,"enabled":true},{"techniqueID":"T1101","score":100,"enabled":true},{"techniqueID":"T1103","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1117","score":100,"enabled":true},{"techniqueID":"T1118","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1121","score":100,"enabled":true},{"techniqueID":"T1122","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1126","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1128","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1138","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1170","score":100,"enabled":true},{"techniqueID":"T1173","score":100,"enabled":true},{"techniqueID":"T1174","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1179","score":100,"enabled":true},{"techniqueID":"T1180","score":100,"enabled":true},{"techniqueID":"T1183","score":100,"enabled":true},{"techniqueID":"T1191","score":100,"enabled":true},{"techniqueID":"T1193","score":100,"enabled":true},{"techniqueID":"T1196","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1214","score":100,"enabled":true},{"techniqueID":"T1215","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1223","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1501","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/index.md b/atomics/index.md index fee86a16..43068d61 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -436,7 +436,9 @@ - Atomic Test #1: Web Shell Written to Disk [windows] # impact -- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1531 Account Access Removal](./T1531/T1531.md) + - Atomic Test #1: Change User Password - Windows [windows] + - Atomic Test #2: Delete User - Windows [windows] - [T1485 Data Destruction](./T1485/T1485.md) - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index ad9b9a4d..73945466 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -13019,30 +13019,23 @@ privilege-escalation: ' impact: - '': + T1531: technique: x_mitre_data_sources: - - Packet capture - - Network protocol analysis + - Windows event logs + - Process command-line parameters + - Process monitoring x_mitre_permissions_required: - User - Administrator - root - SYSTEM - name: Transmitted Data Manipulation - description: "Adversaries may alter data en route to storage or other systems - in order to manipulate external outcomes or hide activity.(Citation: FireEye - APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted - data, adversaries may attempt to affect a business process, organizational - understanding, and decision making. \n\nManipulation may be possible over - a network connection or between system processes where there is an opportunity - deploy a tool that will intercept and change information. The type of modification - and the impact it will have depends on the target transmission mechanism as - well as the goals and objectives of the adversary. For complex systems, an - adversary would likely need special expertise and possibly access to specialized - software related to the system that would typically be gained through a prolonged - information gathering campaign in order to have the desired impact." - id: attack-pattern--cc1e737c-236c-4e3b-83ba-32039a626ef8 + name: Account Access Removal + description: |- + Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. + + Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) + id: attack-pattern--b24e2a20-3b3d-4bf0-823b-1ed765398fb0 x_mitre_platforms: - Linux - macOS @@ -13051,33 +13044,80 @@ impact: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 x_mitre_version: '1.0' x_mitre_impact_type: - - Integrity + - Availability type: attack-pattern - x_mitre_detection: Detecting the manipulation of data as at passes over a network - can be difficult without the appropriate tools. In some cases integrity verification - checks, such as file hashing, may be used on critical files as they transit - a network. With some critical processes involving transmission of data, manual - or out-of-band integrity checking may be useful for identifying manipulated - data. + x_mitre_detection: |- + Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account: + + * Event ID 4723 - An attempt was made to change an account's password + * Event ID 4724 - An attempt was made to reset an account's password + * Event ID 4726 - A user account was deleted + * Event ID 4740 - A user account was locked out + + Alerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - created: '2019-04-09T16:08:20.824Z' + created: '2019-10-09T18:48:31.906Z' kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact external_references: - - source_name: mitre-attack - external_id: T1493 - url: https://attack.mitre.org/techniques/T1493 - - source_name: FireEye APT38 Oct 2018 - description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved - November 6, 2018.' - url: https://content.fireeye.com/apt/rpt-apt38 - - description: Department of Justice. (2018, September 6). Criminal Complaint - - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019. - source_name: DOJ Lazarus Sony 2018 - url: https://www.justice.gov/opa/press-release/file/1092091/download - modified: '2019-06-20T16:56:29.277Z' - atomic_tests: [] + - external_id: T1531 + source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1531 + - source_name: CarbonBlack LockerGoga 2019 + description: CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat + Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019. + url: https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/ + - description: Harbison, M.. (2019, March 26). Born This Way? Origins of LockerGoga. + Retrieved April 16, 2019. + source_name: Unit42 LockerGoga 2019 + url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/ + modified: '2019-10-14T23:29:24.908Z' + identifier: T1531 + atomic_tests: + - name: Change User Password - Windows + description: 'Changes the user password to hinder access attempts. Seen in use + by LockerGoga. + +' + supported_platforms: + - windows + input_arguments: + user_account: + description: User account whose password will be changed. + type: string + default: Administrator + new_password: + description: New password for the specified account. + type: string + default: HuHuHUHoHo283283@dJD + executor: + name: command_prompt + elevation_required: true + prereq_command: 'net.exe user #{user_account} + +' + command: 'net.exe user #{user_account} #{new_password} + +' + - name: Delete User - Windows + description: 'Deletes a user account to prevent access. + +' + supported_platforms: + - windows + input_arguments: + user_account: + description: User account to be deleted. + type: string + default: AtomicUser + executor: + name: command_prompt + elevation_required: true + prereq_command: | + net.exe user #{user_account} /add + net.exe user #{user_account} P@$$w0rd + command: 'net.exe user #{user_account} /delete' T1485: technique: x_mitre_data_sources: @@ -13225,6 +13265,65 @@ impact: executor: name: bash command: dd of=#{file_to_overwrite} if=#{overwrite_source} + '': + technique: + x_mitre_data_sources: + - Packet capture + - Network protocol analysis + x_mitre_permissions_required: + - User + - Administrator + - root + - SYSTEM + name: Transmitted Data Manipulation + description: "Adversaries may alter data en route to storage or other systems + in order to manipulate external outcomes or hide activity.(Citation: FireEye + APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted + data, adversaries may attempt to affect a business process, organizational + understanding, and decision making. \n\nManipulation may be possible over + a network connection or between system processes where there is an opportunity + deploy a tool that will intercept and change information. The type of modification + and the impact it will have depends on the target transmission mechanism as + well as the goals and objectives of the adversary. For complex systems, an + adversary would likely need special expertise and possibly access to specialized + software related to the system that would typically be gained through a prolonged + information gathering campaign in order to have the desired impact." + id: attack-pattern--cc1e737c-236c-4e3b-83ba-32039a626ef8 + x_mitre_platforms: + - Linux + - macOS + - Windows + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_version: '1.0' + x_mitre_impact_type: + - Integrity + type: attack-pattern + x_mitre_detection: Detecting the manipulation of data as at passes over a network + can be difficult without the appropriate tools. In some cases integrity verification + checks, such as file hashing, may be used on critical files as they transit + a network. With some critical processes involving transmission of data, manual + or out-of-band integrity checking may be useful for identifying manipulated + data. + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + created: '2019-04-09T16:08:20.824Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: impact + external_references: + - source_name: mitre-attack + external_id: T1493 + url: https://attack.mitre.org/techniques/T1493 + - source_name: FireEye APT38 Oct 2018 + description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved + November 6, 2018.' + url: https://content.fireeye.com/apt/rpt-apt38 + - description: Department of Justice. (2018, September 6). Criminal Complaint + - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019. + source_name: DOJ Lazarus Sony 2018 + url: https://www.justice.gov/opa/press-release/file/1092091/download + modified: '2019-06-20T16:56:29.277Z' + atomic_tests: [] T1490: technique: x_mitre_data_sources: diff --git a/atomics/linux-index.md b/atomics/linux-index.md index 077bc0c5..e4dfa199 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -40,7 +40,7 @@ - [T1100 Web Shell](./T1100/T1100.md) # impact -- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1531 Account Access Removal](./T1531/T1531.md) - [T1485 Data Destruction](./T1485/T1485.md) - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/macos-index.md b/atomics/macos-index.md index 012c5384..8ac03ba0 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -57,7 +57,7 @@ - [T1100 Web Shell](./T1100/T1100.md) # impact -- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1531 Account Access Removal](./T1531/T1531.md) - [T1485 Data Destruction](./T1485/T1485.md) - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 45cc0d8a..806462c8 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -295,7 +295,9 @@ - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] # impact -- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1531 Account Access Removal](./T1531/T1531.md) + - Atomic Test #1: Change User Password - Windows [windows] + - Atomic Test #2: Delete User - Windows [windows] - [T1485 Data Destruction](./T1485/T1485.md) - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]