security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2023-05-26 20:46:19 +00:00
parent bafcc36958
commit 35fa10287e
9 changed files with 1340 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+7
View File
@@ -943,6 +943,13 @@ persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in su
persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
persistence,T1098,Account Manipulation,10,Domain Password Policy Check: Short Password,fc5f9414-bd67-4f5f-a08e-e5381e29cbd1,powershell
persistence,T1098,Account Manipulation,11,Domain Password Policy Check: No Number in Password,68190529-069b-4ffc-a942-919704158065,powershell
persistence,T1098,Account Manipulation,12,Domain Password Policy Check: No Special Character in Password,7d984ef2-2db2-4cec-b090-e637e1698f61,powershell
persistence,T1098,Account Manipulation,13,Domain Password Policy Check: No Uppercase Character in Password,b299c120-44a7-4d68-b8e2-8ba5a28511ec,powershell
persistence,T1098,Account Manipulation,14,Domain Password Policy Check: No Lowercase Character in Password,945da11e-977e-4dab-85d2-f394d03c5887,powershell
persistence,T1098,Account Manipulation,15,Domain Password Policy Check: Only Two Character Classes,784d1349-5a26-4d20-af5e-d6af53bae460,powershell
persistence,T1098,Account Manipulation,16,Domain Password Policy Check: Common Password Use,81959d03-c51f-49a1-bb24-23f1ec885578,powershell
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
943 persistence T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
944 persistence T1098 Account Manipulation 8 Azure AD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
945 persistence T1098 Account Manipulation 9 Password Change on Directory Service Restore Mode (DSRM) Account d5b886d9-d1c7-4b6e-a7b0-460041bf2823 command_prompt
946 persistence T1098 Account Manipulation 10 Domain Password Policy Check: Short Password fc5f9414-bd67-4f5f-a08e-e5381e29cbd1 powershell
947 persistence T1098 Account Manipulation 11 Domain Password Policy Check: No Number in Password 68190529-069b-4ffc-a942-919704158065 powershell
948 persistence T1098 Account Manipulation 12 Domain Password Policy Check: No Special Character in Password 7d984ef2-2db2-4cec-b090-e637e1698f61 powershell
949 persistence T1098 Account Manipulation 13 Domain Password Policy Check: No Uppercase Character in Password b299c120-44a7-4d68-b8e2-8ba5a28511ec powershell
950 persistence T1098 Account Manipulation 14 Domain Password Policy Check: No Lowercase Character in Password 945da11e-977e-4dab-85d2-f394d03c5887 powershell
951 persistence T1098 Account Manipulation 15 Domain Password Policy Check: Only Two Character Classes 784d1349-5a26-4d20-af5e-d6af53bae460 powershell
952 persistence T1098 Account Manipulation 16 Domain Password Policy Check: Common Password Use 81959d03-c51f-49a1-bb24-23f1ec885578 powershell
953 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
954 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
955 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
atomics/Indexes/Indexes-CSV/windows-index.csv
+7
View File
@@ -659,6 +659,13 @@ persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Sta
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
persistence,T1098,Account Manipulation,10,Domain Password Policy Check: Short Password,fc5f9414-bd67-4f5f-a08e-e5381e29cbd1,powershell
persistence,T1098,Account Manipulation,11,Domain Password Policy Check: No Number in Password,68190529-069b-4ffc-a942-919704158065,powershell
persistence,T1098,Account Manipulation,12,Domain Password Policy Check: No Special Character in Password,7d984ef2-2db2-4cec-b090-e637e1698f61,powershell
persistence,T1098,Account Manipulation,13,Domain Password Policy Check: No Uppercase Character in Password,b299c120-44a7-4d68-b8e2-8ba5a28511ec,powershell
persistence,T1098,Account Manipulation,14,Domain Password Policy Check: No Lowercase Character in Password,945da11e-977e-4dab-85d2-f394d03c5887,powershell
persistence,T1098,Account Manipulation,15,Domain Password Policy Check: Only Two Character Classes,784d1349-5a26-4d20-af5e-d6af53bae460,powershell
persistence,T1098,Account Manipulation,16,Domain Password Policy Check: Common Password Use,81959d03-c51f-49a1-bb24-23f1ec885578,powershell
persistence,T1505.004,IIS Components,1,Install IIS Module using AppCmd.exe,53adbdfa-8200-490c-871c-d3b1ab3324b2,command_prompt
persistence,T1505.004,IIS Components,2,Install IIS Module using PowerShell Cmdlet New-WebGlobalModule,cc3381fb-4bd0-405c-a8e4-6cacfac3b06c,powershell
persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
659 persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
660 persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
661 persistence T1098 Account Manipulation 9 Password Change on Directory Service Restore Mode (DSRM) Account d5b886d9-d1c7-4b6e-a7b0-460041bf2823 command_prompt
662 persistence T1098 Account Manipulation 10 Domain Password Policy Check: Short Password fc5f9414-bd67-4f5f-a08e-e5381e29cbd1 powershell
663 persistence T1098 Account Manipulation 11 Domain Password Policy Check: No Number in Password 68190529-069b-4ffc-a942-919704158065 powershell
664 persistence T1098 Account Manipulation 12 Domain Password Policy Check: No Special Character in Password 7d984ef2-2db2-4cec-b090-e637e1698f61 powershell
665 persistence T1098 Account Manipulation 13 Domain Password Policy Check: No Uppercase Character in Password b299c120-44a7-4d68-b8e2-8ba5a28511ec powershell
666 persistence T1098 Account Manipulation 14 Domain Password Policy Check: No Lowercase Character in Password 945da11e-977e-4dab-85d2-f394d03c5887 powershell
667 persistence T1098 Account Manipulation 15 Domain Password Policy Check: Only Two Character Classes 784d1349-5a26-4d20-af5e-d6af53bae460 powershell
668 persistence T1098 Account Manipulation 16 Domain Password Policy Check: Common Password Use 81959d03-c51f-49a1-bb24-23f1ec885578 powershell
669 persistence T1505.004 IIS Components 1 Install IIS Module using AppCmd.exe 53adbdfa-8200-490c-871c-d3b1ab3324b2 command_prompt
670 persistence T1505.004 IIS Components 2 Install IIS Module using PowerShell Cmdlet New-WebGlobalModule cc3381fb-4bd0-405c-a8e4-6cacfac3b06c powershell
671 persistence T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
atomics/Indexes/Indexes-Markdown/index.md
+7
View File
@@ -1475,6 +1475,13 @@
- Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
- Atomic Test #8: Azure AD - adding permission to application [azure-ad]
- Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
- Atomic Test #10: Domain Password Policy Check: Short Password [windows]
- Atomic Test #11: Domain Password Policy Check: No Number in Password [windows]
- Atomic Test #12: Domain Password Policy Check: No Special Character in Password [windows]
- Atomic Test #13: Domain Password Policy Check: No Uppercase Character in Password [windows]
- Atomic Test #14: Domain Password Policy Check: No Lowercase Character in Password [windows]
- Atomic Test #15: Domain Password Policy Check: Only Two Character Classes [windows]
- Atomic Test #16: Domain Password Policy Check: Common Password Use [windows]
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
atomics/Indexes/Indexes-Markdown/windows-index.md
+7
View File
@@ -1052,6 +1052,13 @@
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
- Atomic Test #10: Domain Password Policy Check: Short Password [windows]
- Atomic Test #11: Domain Password Policy Check: No Number in Password [windows]
- Atomic Test #12: Domain Password Policy Check: No Special Character in Password [windows]
- Atomic Test #13: Domain Password Policy Check: No Uppercase Character in Password [windows]
- Atomic Test #14: Domain Password Policy Check: No Lowercase Character in Password [windows]
- Atomic Test #15: Domain Password Policy Check: Only Two Character Classes [windows]
- Atomic Test #16: Domain Password Policy Check: Common Password Use [windows]
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/index.yaml
+382
View File
@@ -64970,6 +64970,388 @@ persistence:
"q" "q"
'
- name: 'Domain Password Policy Check: Short Password'
auto_generated_guid: fc5f9414-bd67-4f5f-a08e-e5381e29cbd1
description: |
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default value
is 7 characters)
type: string
default: Uplow-1
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Number in Password'
auto_generated_guid: 68190529-069b-4ffc-a942-919704158065
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has upper and lower case and special character but no number)
type: string
default: UpperLowerLong-special
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Special Character in Password'
auto_generated_guid: 7d984ef2-2db2-4cec-b090-e637e1698f61
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has upper and lower case and number but no special character)
type: string
default: UpperLowerLong333noSpecialChar
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Uppercase Character in Password'
auto_generated_guid: b299c120-44a7-4d68-b8e2-8ba5a28511ec
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has and lower case and special character and number but no uppercase)
type: string
default: lower-long-special-333
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Lowercase Character in Password'
auto_generated_guid: 945da11e-977e-4dab-85d2-f394d03c5887
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has and upper case and special character and number but no lowercase)
type: string
default: UPPER-LONG-SPECIAL-333
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: Only Two Character Classes'
auto_generated_guid: 784d1349-5a26-4d20-af5e-d6af53bae460
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default has
only upper and lower case characters)
type: string
default: onlyUPandLowChars
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: Common Password Use'
auto_generated_guid: 81959d03-c51f-49a1-bb24-23f1ec885578
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
Season and current year combo)
type: string
default: Spring$((Get-Date).Year)!
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
T1547.006:
technique:
x_mitre_platforms:
atomics/Indexes/windows-index.yaml
+382
View File
@@ -56815,6 +56815,388 @@ persistence:
"q" "q"
'
- name: 'Domain Password Policy Check: Short Password'
auto_generated_guid: fc5f9414-bd67-4f5f-a08e-e5381e29cbd1
description: |
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default value
is 7 characters)
type: string
default: Uplow-1
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Number in Password'
auto_generated_guid: 68190529-069b-4ffc-a942-919704158065
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has upper and lower case and special character but no number)
type: string
default: UpperLowerLong-special
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Special Character in Password'
auto_generated_guid: 7d984ef2-2db2-4cec-b090-e637e1698f61
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has upper and lower case and number but no special character)
type: string
default: UpperLowerLong333noSpecialChar
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Uppercase Character in Password'
auto_generated_guid: b299c120-44a7-4d68-b8e2-8ba5a28511ec
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has and lower case and special character and number but no uppercase)
type: string
default: lower-long-special-333
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: No Lowercase Character in Password'
auto_generated_guid: 945da11e-977e-4dab-85d2-f394d03c5887
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
long and has and upper case and special character and number but no lowercase)
type: string
default: UPPER-LONG-SPECIAL-333
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: Only Two Character Classes'
auto_generated_guid: 784d1349-5a26-4d20-af5e-d6af53bae460
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default has
only upper and lower case characters)
type: string
default: onlyUPandLowChars
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
- name: 'Domain Password Policy Check: Common Password Use'
auto_generated_guid: 81959d03-c51f-49a1-bb24-23f1ec885578
description: "Attempt to change the password of the current domain user in order
to check password policy. Ideally, you would only run this atomic test to
verify that your password policy is blocking the use of the new password.\nIf
the password is succesfully changed to the new password, the credential file
will be updated to reflect the new password. You can then run the atomic manually
and specify a new password of your choosing, however the\npassword policy
will likely prevent you from setting the password back to what it was. \n"
supported_platforms:
- windows
input_arguments:
new_password:
description: The password to set for the current domain user (default is
Season and current year combo)
type: string
default: Spring$((Get-Date).Year)!
cred_file:
description: A file containing the password of the current user
type: path
default: "$env:LOCALAPPDATA\\AtomicRedTeam\\$env:USERNAME.txt"
dependencies:
- description: 'Password for current user must be stored in a credential file
'
prereq_command: 'if (Test-Path #{cred_file}) {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
executor:
name: powershell
elevation_required: true
command: "$credFile = \"#{cred_file}\"\nif (Test-Path $credFile) {\n $cred
= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
$env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)\n if($cred.GetNetworkCredential().Password
-eq \"#{new_password}\"){\n Write-Host -ForegroundColor Yellow \"The
new password is the same as the password stored in the credential file.
Please specify a different new password.\"; exit -1\n }\n try {\n
\ $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText
-Force\n Set-ADAccountPassword -Identity $env:USERNAME -OldPassword
$cred.password -NewPassword $newPassword\n }\n catch { \n $_.Exception\n
\ $errCode = $_.Exception.ErrorCode\n Write-Host \"Error code:
$errCode\"\n if ($errCode -eq 86) {\n Write-Host -ForegroundColor
Yellow \"The stored password for the current user is incorrect. Please run
the prereq commands to set the correct credentials\"\n Remove-Item
$credFile\n }\n exit $errCode\n }\n Write-Host -ForegroundColor
Cyan \"Successfully changed the password to #{new_password}\"\n $newCred
= New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString
\"#{new_password}\" -AsPlainText -Force))\n $newCred.Password | ConvertFrom-SecureString
| Out-File $credFile\n}\nelse {\n Write-Host -ForegroundColor Yellow
\"You must store the password of the current user by running the prerequisite
commands first\"\n}\n"
T1547.006:
technique:
x_mitre_platforms:
atomics/T1098/T1098.md
+546
View File
@@ -24,6 +24,20 @@ In order to create or manipulate accounts, the adversary must already have suffi
- [Atomic Test #9 - Password Change on Directory Service Restore Mode (DSRM) Account](#atomic-test-9---password-change-on-directory-service-restore-mode-dsrm-account)
- [Atomic Test #10 - Domain Password Policy Check: Short Password](#atomic-test-10---domain-password-policy-check-short-password)
- [Atomic Test #11 - Domain Password Policy Check: No Number in Password](#atomic-test-11---domain-password-policy-check-no-number-in-password)
- [Atomic Test #12 - Domain Password Policy Check: No Special Character in Password](#atomic-test-12---domain-password-policy-check-no-special-character-in-password)
- [Atomic Test #13 - Domain Password Policy Check: No Uppercase Character in Password](#atomic-test-13---domain-password-policy-check-no-uppercase-character-in-password)
- [Atomic Test #14 - Domain Password Policy Check: No Lowercase Character in Password](#atomic-test-14---domain-password-policy-check-no-lowercase-character-in-password)
- [Atomic Test #15 - Domain Password Policy Check: Only Two Character Classes](#atomic-test-15---domain-password-policy-check-only-two-character-classes)
- [Atomic Test #16 - Domain Password Policy Check: Common Password Use](#atomic-test-16---domain-password-policy-check-common-password-use)
<br/>
@@ -707,4 +721,536 @@ ntdsutil "set dsrm password" "sync from domain account #{sync_account}" "q" "q"
<br/>
<br/>
## Atomic Test #10 - Domain Password Policy Check: Short Password
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
**Supported Platforms:** Windows
**auto_generated_guid:** fc5f9414-bd67-4f5f-a08e-e5381e29cbd1
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_password | The password to set for the current domain user (default value is 7 characters) | string | Uplow-1|
| cred_file | A file containing the password of the current user | path | $env:LOCALAPPDATA&#92;AtomicRedTeam&#92;$env:USERNAME.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$credFile = "#{cred_file}"
if (Test-Path $credFile) {
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
}
try {
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
}
catch {
$_.Exception
$errCode = $_.Exception.ErrorCode
Write-Host "Error code: $errCode"
if ($errCode -eq 86) {
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
Remove-Item $credFile
}
exit $errCode
}
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}
```
#### Dependencies: Run with `powershell`!
##### Description: Password for current user must be stored in a credential file
##### Check Prereq Commands:
```powershell
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
```
<br/>
<br/>
## Atomic Test #11 - Domain Password Policy Check: No Number in Password
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
**Supported Platforms:** Windows
**auto_generated_guid:** 68190529-069b-4ffc-a942-919704158065
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_password | The password to set for the current domain user (default is long and has upper and lower case and special character but no number) | string | UpperLowerLong-special|
| cred_file | A file containing the password of the current user | path | $env:LOCALAPPDATA&#92;AtomicRedTeam&#92;$env:USERNAME.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$credFile = "#{cred_file}"
if (Test-Path $credFile) {
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
}
try {
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
}
catch {
$_.Exception
$errCode = $_.Exception.ErrorCode
Write-Host "Error code: $errCode"
if ($errCode -eq 86) {
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
Remove-Item $credFile
}
exit $errCode
}
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}
```
#### Dependencies: Run with `powershell`!
##### Description: Password for current user must be stored in a credential file
##### Check Prereq Commands:
```powershell
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
```
<br/>
<br/>
## Atomic Test #12 - Domain Password Policy Check: No Special Character in Password
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
**Supported Platforms:** Windows
**auto_generated_guid:** 7d984ef2-2db2-4cec-b090-e637e1698f61
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_password | The password to set for the current domain user (default is long and has upper and lower case and number but no special character) | string | UpperLowerLong333noSpecialChar|
| cred_file | A file containing the password of the current user | path | $env:LOCALAPPDATA&#92;AtomicRedTeam&#92;$env:USERNAME.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$credFile = "#{cred_file}"
if (Test-Path $credFile) {
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
}
try {
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
}
catch {
$_.Exception
$errCode = $_.Exception.ErrorCode
Write-Host "Error code: $errCode"
if ($errCode -eq 86) {
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
Remove-Item $credFile
}
exit $errCode
}
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}
```
#### Dependencies: Run with `powershell`!
##### Description: Password for current user must be stored in a credential file
##### Check Prereq Commands:
```powershell
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
```
<br/>
<br/>
## Atomic Test #13 - Domain Password Policy Check: No Uppercase Character in Password
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
**Supported Platforms:** Windows
**auto_generated_guid:** b299c120-44a7-4d68-b8e2-8ba5a28511ec
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_password | The password to set for the current domain user (default is long and has and lower case and special character and number but no uppercase) | string | lower-long-special-333|
| cred_file | A file containing the password of the current user | path | $env:LOCALAPPDATA&#92;AtomicRedTeam&#92;$env:USERNAME.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$credFile = "#{cred_file}"
if (Test-Path $credFile) {
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
}
try {
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
}
catch {
$_.Exception
$errCode = $_.Exception.ErrorCode
Write-Host "Error code: $errCode"
if ($errCode -eq 86) {
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
Remove-Item $credFile
}
exit $errCode
}
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}
```
#### Dependencies: Run with `powershell`!
##### Description: Password for current user must be stored in a credential file
##### Check Prereq Commands:
```powershell
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
```
<br/>
<br/>
## Atomic Test #14 - Domain Password Policy Check: No Lowercase Character in Password
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
**Supported Platforms:** Windows
**auto_generated_guid:** 945da11e-977e-4dab-85d2-f394d03c5887
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_password | The password to set for the current domain user (default is long and has and upper case and special character and number but no lowercase) | string | UPPER-LONG-SPECIAL-333|
| cred_file | A file containing the password of the current user | path | $env:LOCALAPPDATA&#92;AtomicRedTeam&#92;$env:USERNAME.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$credFile = "#{cred_file}"
if (Test-Path $credFile) {
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
}
try {
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
}
catch {
$_.Exception
$errCode = $_.Exception.ErrorCode
Write-Host "Error code: $errCode"
if ($errCode -eq 86) {
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
Remove-Item $credFile
}
exit $errCode
}
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}
```
#### Dependencies: Run with `powershell`!
##### Description: Password for current user must be stored in a credential file
##### Check Prereq Commands:
```powershell
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
```
<br/>
<br/>
## Atomic Test #15 - Domain Password Policy Check: Only Two Character Classes
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
**Supported Platforms:** Windows
**auto_generated_guid:** 784d1349-5a26-4d20-af5e-d6af53bae460
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_password | The password to set for the current domain user (default has only upper and lower case characters) | string | onlyUPandLowChars|
| cred_file | A file containing the password of the current user | path | $env:LOCALAPPDATA&#92;AtomicRedTeam&#92;$env:USERNAME.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$credFile = "#{cred_file}"
if (Test-Path $credFile) {
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
}
try {
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
}
catch {
$_.Exception
$errCode = $_.Exception.ErrorCode
Write-Host "Error code: $errCode"
if ($errCode -eq 86) {
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
Remove-Item $credFile
}
exit $errCode
}
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}
```
#### Dependencies: Run with `powershell`!
##### Description: Password for current user must be stored in a credential file
##### Check Prereq Commands:
```powershell
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
```
<br/>
<br/>
## Atomic Test #16 - Domain Password Policy Check: Common Password Use
Attempt to change the password of the current domain user in order to check password policy. Ideally, you would only run this atomic test to verify that your password policy is blocking the use of the new password.
If the password is succesfully changed to the new password, the credential file will be updated to reflect the new password. You can then run the atomic manually and specify a new password of your choosing, however the
password policy will likely prevent you from setting the password back to what it was.
**Supported Platforms:** Windows
**auto_generated_guid:** 81959d03-c51f-49a1-bb24-23f1ec885578
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_password | The password to set for the current domain user (default is Season and current year combo) | string | Spring$((Get-Date).Year)!|
| cred_file | A file containing the password of the current user | path | $env:LOCALAPPDATA&#92;AtomicRedTeam&#92;$env:USERNAME.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$credFile = "#{cred_file}"
if (Test-Path $credFile) {
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
}
try {
$newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
}
catch {
$_.Exception
$errCode = $_.Exception.ErrorCode
Write-Host "Error code: $errCode"
if ($errCode -eq 86) {
Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
Remove-Item $credFile
}
exit $errCode
}
Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
$newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
$newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}
```
#### Dependencies: Run with `powershell`!
##### Description: Password for current user must be stored in a credential file
##### Check Prereq Commands:
```powershell
if (Test-Path #{cred_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{cred_file}") -ErrorAction Ignore | Out-Null
$cred = Get-Credential -UserName $env:USERNAME -message "Enter password for $env:USERNAME to use during password change attempt"
$cred.Password | ConvertFrom-SecureString | Out-File "#{cred_file}"
```
<br/>