From 57b1728731ab8b3fb5c8d02545fe48dcc8bc48df Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 11 Feb 2021 14:18:38 -0300 Subject: [PATCH] Update T1136.002.yaml (#1384) * Update T1136.002.yaml * Adds default values, remove guid * remove auto_generated_guid line Co-authored-by: Carrie Roberts --- atomics/T1136.002/T1136.002.yaml | 33 ++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/atomics/T1136.002/T1136.002.yaml b/atomics/T1136.002/T1136.002.yaml index 39ed1c3f..b8a9a7a3 100644 --- a/atomics/T1136.002/T1136.002.yaml +++ b/atomics/T1136.002/T1136.002.yaml @@ -50,3 +50,36 @@ atomic_tests: net user "#{username}" >nul 2>&1 /del /domain name: command_prompt elevation_required: false # Requires a user to be a Domain Admin! +- name: Create a new Domain Account using PowerShell + description: | + Creates a new Domain User using the credentials of the Current User + supported_platforms: + - windows + input_arguments: + username: + description: "Name of the Account to be created" + type: String + default: T1136.002_Admin + password: + description: "Password of the Account to be created" + type: String + default: T1136_pass123! + executor: + command: | + $SamAccountName = '#{username}' + $AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force + Add-Type -AssemblyName System.DirectoryServices.AccountManagement + $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain) + $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context) + $User.SamAccountName = $SamAccountName + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + $User.Enabled = $True + $User.PasswordNotRequired = $False + $User.DisplayName = $SamAccountName + $User.Save() + $User + cleanup_command: | + net user "#{username}" >nul 2>&1 /del /domain + name: powershell + elevation_required: false # Requires a user to be a Domain Admin!