diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ecf12813..075a05dd 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -11430,9 +11430,9 @@ privilege-escalation: atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) - and added to Administrators and Remote Desktop Users Group, and desktop will - allow multiple RDP connections + description: | + After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, + and desktop will allow multiple RDP connections. supported_platforms: - windows input_arguments: @@ -11444,6 +11444,10 @@ privilege-escalation: description: Specify the guest password type: String default: Password123! + remove_rdp_access_during_cleanup: + description: Set to 1 if you want the cleanup to remove RDP access to machine + type: Integer + default: 0 executor: command: |- net user #{guest_user} /active:yes @@ -11456,8 +11460,9 @@ privilege-escalation: net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true T1078.002: @@ -21649,9 +21654,9 @@ defense-evasion: atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) - and added to Administrators and Remote Desktop Users Group, and desktop will - allow multiple RDP connections + description: | + After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, + and desktop will allow multiple RDP connections. supported_platforms: - windows input_arguments: @@ -21663,6 +21668,10 @@ defense-evasion: description: Specify the guest password type: String default: Password123! + remove_rdp_access_during_cleanup: + description: Set to 1 if you want the cleanup to remove RDP access to machine + type: Integer + default: 0 executor: command: |- net user #{guest_user} /active:yes @@ -21675,8 +21684,9 @@ defense-evasion: net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true T1578.003: @@ -39427,9 +39437,9 @@ persistence: atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) - and added to Administrators and Remote Desktop Users Group, and desktop will - allow multiple RDP connections + description: | + After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, + and desktop will allow multiple RDP connections. supported_platforms: - windows input_arguments: @@ -39441,6 +39451,10 @@ persistence: description: Specify the guest password type: String default: Password123! + remove_rdp_access_during_cleanup: + description: Set to 1 if you want the cleanup to remove RDP access to machine + type: Integer + default: 0 executor: command: |- net user #{guest_user} /active:yes @@ -39453,8 +39467,9 @@ persistence: net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true T1136.002: @@ -67406,9 +67421,9 @@ initial-access: atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) - and added to Administrators and Remote Desktop Users Group, and desktop will - allow multiple RDP connections + description: | + After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, + and desktop will allow multiple RDP connections. supported_platforms: - windows input_arguments: @@ -67420,6 +67435,10 @@ initial-access: description: Specify the guest password type: String default: Password123! + remove_rdp_access_during_cleanup: + description: Set to 1 if you want the cleanup to remove RDP access to machine + type: Integer + default: 0 executor: command: |- net user #{guest_user} /active:yes @@ -67432,8 +67451,9 @@ initial-access: net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true T1078.002: diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md index c2c4a3b6..4ed80952 100644 --- a/atomics/T1078.001/T1078.001.md +++ b/atomics/T1078.001/T1078.001.md @@ -12,7 +12,8 @@ Default accounts are not limited to client machines, rather also include account
## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges -After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections +After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, +and desktop will allow multiple RDP connections. **Supported Platforms:** Windows @@ -24,6 +25,7 @@ After execution the Default Guest account will be enabled (Active) and added to |------|-------------|------|---------------| | guest_user | Specify the guest account | String | guest| | guest_password | Specify the guest password | String | Password123!| +| remove_rdp_access_during_cleanup | Set to 1 if you want the cleanup to remove RDP access to machine | Integer | 0| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) @@ -43,8 +45,9 @@ reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConne net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 -reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 -reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 +if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) +if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) +if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) ```