From 68ec848ae80b85bc49c7ee143397a527645ae08a Mon Sep 17 00:00:00 2001
From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com>
Date: Sun, 26 Mar 2023 10:43:28 +0530
Subject: [PATCH 1/2] Update T1531.yaml

---
 atomics/T1531/T1531.yaml | 61 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/atomics/T1531/T1531.yaml b/atomics/T1531/T1531.yaml
index 99b568e0..c25ecf01 100644
--- a/atomics/T1531/T1531.yaml
+++ b/atomics/T1531/T1531.yaml
@@ -88,3 +88,64 @@ atomic_tests:
       }
     name: powershell
     elevation_required: false
+- name: Change User Password via passwd
+  description: |
+    This test changes the user password to hinder access to the account using passwd utility.
+  supported_platforms:
+  - macos
+  - linux
+  input_arguments:
+    user_account:
+      description: User account whose password will be changed.
+      type: String
+      default: ARTUser
+  executor:
+    command: |
+      passwd #{user_account} #enter admin password > enter new password > confirm new password
+    name: command_prompt
+    elevation_required: true
+- name: Delete User via dscl utility
+  description: |
+    This test deletes the user account using the dscl utility.
+  supported_platforms:
+  - macos
+  input_arguments:
+    user_account:
+      description: User account which will be deleted.
+      type: String  
+    user_password:
+      description: User password.
+      type: String      
+  executor:
+    command: |
+      dscl . -delete /Users/#{user_account} #enter admin password
+    cleanup_command: |
+      dscl . -create /Users/#{user_account} #enter admin password
+      dscl . -create /Users/#{user_account} UserShell /bin/bash
+      dscl . -create /Users/#{user_account} UniqueID 503
+      dscl . -create /Users/#{user_account} NFSHomeDirectory /Users/#{user_account}
+      dscl . -passwd /Users/#{user_account} #{user_password} #enter password for new user
+    name: command_prompt
+    elevation_required: true
+- name: Delete User via sysadminctl utility
+  description: |
+    This test deletes the user account using the sysadminctl utility.
+  supported_platforms:
+  - macos
+  input_arguments:
+    user_account:
+      description: User account which will be deleted.
+      type: String  
+    user_name:
+      description: New user name.
+      type: String
+    user_password:
+      description: New user password.
+      type: String
+  executor:
+    command: |
+      sysadminctl -deleteUser #{user_account} #enter admin password
+    cleanup_command: |
+      sysadminctl -addUser #{user_account} -fullName "#{user_name}" -password #{user_password}
+    name: command_prompt
+    elevation_required: true     

From 137a0bea8f6d4b49078a82c718b7926ac7371886 Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bhavin.j.patel91@gmail.com>
Date: Thu, 4 May 2023 14:02:01 -0700
Subject: [PATCH 2/2] Updated atomics after testing locally

The atomic seems to run, tested by running commands locaally!
---
 atomics/T1531/T1531.yaml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/atomics/T1531/T1531.yaml b/atomics/T1531/T1531.yaml
index 39d108bb..af6275c7 100644
--- a/atomics/T1531/T1531.yaml
+++ b/atomics/T1531/T1531.yaml
@@ -102,7 +102,7 @@ atomic_tests:
   executor:
     command: |
       passwd #{user_account} #enter admin password > enter new password > confirm new password
-    name: command_prompt
+    name: sh
     elevation_required: true
 - name: Delete User via dscl utility
   description: |
@@ -112,10 +112,12 @@ atomic_tests:
   input_arguments:
     user_account:
       description: User account which will be deleted.
-      type: String  
+      type: String 
+      default: ARTUser
     user_password:
       description: User password.
-      type: String      
+      type: String 
+      default: ARTPassword    
   executor:
     command: |
       dscl . -delete /Users/#{user_account} #enter admin password
@@ -125,7 +127,7 @@ atomic_tests:
       dscl . -create /Users/#{user_account} UniqueID 503
       dscl . -create /Users/#{user_account} NFSHomeDirectory /Users/#{user_account}
       dscl . -passwd /Users/#{user_account} #{user_password} #enter password for new user
-    name: command_prompt
+    name: sh
     elevation_required: true
 - name: Delete User via sysadminctl utility
   description: |
@@ -136,18 +138,21 @@ atomic_tests:
     user_account:
       description: User account which will be deleted.
       type: String  
+      default: ARTUserAccount
     user_name:
       description: New user name.
       type: String
+      default: ARTUser
     user_password:
       description: New user password.
       type: String
+      default: ARTPassword
   executor:
     command: |
       sysadminctl -deleteUser #{user_account} #enter admin password
     cleanup_command: |
       sysadminctl -addUser #{user_account} -fullName "#{user_name}" -password #{user_password}
-    name: command_prompt
+    name: sh
     elevation_required: true     
 - name: Azure AD - Delete user via Azure AD PowerShell
   auto_generated_guid: 4f577511-dc1c-4045-bcb8-75d2457f01f4