From ac176d65361bc3e76dfa461495cb73b6d4d86196 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Tue, 5 Nov 2019 12:14:00 -0500
Subject: [PATCH] T1531 Account Access Removal Tests (#598)

---
 atomics/T1531/T1531.yaml | 51 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 atomics/T1531/T1531.yaml

diff --git a/atomics/T1531/T1531.yaml b/atomics/T1531/T1531.yaml
new file mode 100644
index 00000000..0208f2bf
--- /dev/null
+++ b/atomics/T1531/T1531.yaml
@@ -0,0 +1,51 @@
+---
+attack_technique: T1531
+display_name: Account Access Removal
+
+atomic_tests:
+- name: Change User Password - Windows
+  description: |
+    Changes the user password to hinder access attempts. Seen in use by LockerGoga.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    user_account:
+      description: User account whose password will be changed.
+      type: string
+      default: Administrator
+    new_password:
+      description: New password for the specified account.
+      type: string
+      default: HuHuHUHoHo283283@dJD
+
+  executor:
+    name: command_prompt
+    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
+    prereq_command: | # for the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success. You can remove the prereq_command section if there are no pre-req's
+      net.exe user #{user_account}
+    command: | # these are the actaul attack commands, at least one command must be provided
+      net.exe user #{user_account} #{new_password}
+
+- name: Delete User - Windows
+  description: |
+    Deletes a user account to prevent access.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    user_account:
+      description: User account to be deleted.
+      type: string
+      default: AtomicUser
+
+  executor:
+    name: command_prompt
+    elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
+    prereq_command: | # for the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success. You can remove the prereq_command section if there are no pre-req's
+      net.exe user #{user_account} /add
+      net.exe user #{user_account} P@$$w0rd
+    command: | # these are the actaul attack commands, at least one command must be provided
+      net.exe user #{user_account} /delete
\ No newline at end of file