From b4c10e2fa8193ef21c9eb36fe74689346e57e901 Mon Sep 17 00:00:00 2001 From: DS <31036535+security-geek@users.noreply.github.com> Date: Thu, 12 Aug 2021 12:27:45 +1000 Subject: [PATCH 1/3] Update T1078.001.yaml (#1589) --- atomics/T1078.001/T1078.001.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/atomics/T1078.001/T1078.001.yaml b/atomics/T1078.001/T1078.001.yaml index 3fe801b2..fb3d2230 100644 --- a/atomics/T1078.001/T1078.001.yaml +++ b/atomics/T1078.001/T1078.001.yaml @@ -38,3 +38,19 @@ atomic_tests: if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true + +- name: Activate Guest Account + description: | + The Adversaries can activate the default Guest user. The guest account is inactivated by default + supported_platforms: + - windows + executor: + command: | + net user guest /active:yes + cleanup_command: | + net user guest /active:no + name: command_prompt + elevation_required: true + + + From d981e845fd3702cb703d3ec7756d2ab284945a7b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 12 Aug 2021 02:28:06 +0000 Subject: [PATCH 2/3] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1078.001/T1078.001.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1078.001/T1078.001.yaml b/atomics/T1078.001/T1078.001.yaml index fb3d2230..a5e8ad5d 100644 --- a/atomics/T1078.001/T1078.001.yaml +++ b/atomics/T1078.001/T1078.001.yaml @@ -40,6 +40,7 @@ atomic_tests: elevation_required: true - name: Activate Guest Account + auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda description: | The Adversaries can activate the default Guest user. The guest account is inactivated by default supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 04ced245..aa96fbf8 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -761,3 +761,4 @@ c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 441b1a0f-a771-428a-8af0-e99e4698cda3 eeb9751a-d598-42d3-b11c-c122d9c3f6c7 9d77fed7-05f8-476e-a81b-8ff0472c64d0 +aa6cb8c4-b582-4f8e-b677-37733914abda From 370062439e856327c4be72afbd5834438092433f Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 12 Aug 2021 02:28:11 +0000 Subject: [PATCH 3/3] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 4 ++ atomics/Indexes/Indexes-CSV/windows-index.csv | 4 ++ atomics/Indexes/Indexes-Markdown/index.md | 4 ++ .../Indexes/Indexes-Markdown/windows-index.md | 4 ++ atomics/Indexes/index.yaml | 68 +++++++++++++++++++ atomics/T1078.001/T1078.001.md | 34 ++++++++++ 6 files changed, 118 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e9380dbe..2b76f2d9 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -144,6 +144,7 @@ privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/cront privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell @@ -268,6 +269,7 @@ defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255 defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh @@ -544,6 +546,7 @@ persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ fold persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +persistence,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell @@ -914,6 +917,7 @@ exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +initial-access,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell initial-access,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 3a96f7e7..79e806ce 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -98,6 +98,7 @@ privilege-escalation,T1546.001,Change Default File Association,1,Change Default privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt @@ -181,6 +182,7 @@ defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255 defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell @@ -371,6 +373,7 @@ persistence,T1546.001,Change Default File Association,1,Change Default File Asso persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +persistence,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell @@ -627,6 +630,7 @@ lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Man lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +initial-access,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell initial-access,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 12dbc257..68898e7c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -264,6 +264,7 @@ - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows] + - Atomic Test #2: Activate Guest Account [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -488,6 +489,7 @@ - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows] + - Atomic Test #2: Activate Guest Account [windows] - T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md) - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows] @@ -928,6 +930,7 @@ - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows] + - Atomic Test #2: Activate Guest Account [windows] - [T1136.002 Domain Account](../../T1136.002/T1136.002.md) - Atomic Test #1: Create a new Windows domain admin user [windows] - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows] @@ -1660,6 +1663,7 @@ - T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows] + - Atomic Test #2: Activate Guest Account [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index a3558cd7..d0f286c9 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -199,6 +199,7 @@ - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows] + - Atomic Test #2: Activate Guest Account [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -352,6 +353,7 @@ - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows] + - Atomic Test #2: Activate Guest Account [windows] - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md) - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows] - Atomic Test #2: Certutil Rename and Decode [windows] @@ -666,6 +668,7 @@ - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows] + - Atomic Test #2: Activate Guest Account [windows] - [T1136.002 Domain Account](../../T1136.002/T1136.002.md) - Atomic Test #1: Create a new Windows domain admin user [windows] - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows] @@ -1151,6 +1154,7 @@ - T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1078.001 Default Accounts](../../T1078.001/T1078.001.md) - Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows] + - Atomic Test #2: Activate Guest Account [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4cfe28ae..a7d4214d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -11730,6 +11730,23 @@ privilege-escalation: if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true + - name: Activate Guest Account + auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda + description: 'The Adversaries can activate the default Guest user. The guest + account is inactivated by default + +' + supported_platforms: + - windows + executor: + command: 'net user guest /active:yes + +' + cleanup_command: 'net user guest /active:no + +' + name: command_prompt + elevation_required: true T1078.002: technique: external_references: @@ -21955,6 +21972,23 @@ defense-evasion: if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true + - name: Activate Guest Account + auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda + description: 'The Adversaries can activate the default Guest user. The guest + account is inactivated by default + +' + supported_platforms: + - windows + executor: + command: 'net user guest /active:yes + +' + cleanup_command: 'net user guest /active:no + +' + name: command_prompt + elevation_required: true T1578.003: technique: external_references: @@ -40439,6 +40473,23 @@ persistence: if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true + - name: Activate Guest Account + auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda + description: 'The Adversaries can activate the default Guest user. The guest + account is inactivated by default + +' + supported_platforms: + - windows + executor: + command: 'net user guest /active:yes + +' + cleanup_command: 'net user guest /active:no + +' + name: command_prompt + elevation_required: true T1136.002: technique: created: '2020-01-28T14:05:17.825Z' @@ -68890,6 +68941,23 @@ initial-access: if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true + - name: Activate Guest Account + auto_generated_guid: aa6cb8c4-b582-4f8e-b677-37733914abda + description: 'The Adversaries can activate the default Guest user. The guest + account is inactivated by default + +' + supported_platforms: + - windows + executor: + command: 'net user guest /active:yes + +' + cleanup_command: 'net user guest /active:no + +' + name: command_prompt + elevation_required: true T1078.002: technique: external_references: diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md index 250f7d3f..e8586c71 100644 --- a/atomics/T1078.001/T1078.001.md +++ b/atomics/T1078.001/T1078.001.md @@ -8,6 +8,8 @@ Default accounts are not limited to client machines, rather also include account - [Atomic Test #1 - Enable Guest account with RDP capability and admin privileges](#atomic-test-1---enable-guest-account-with-rdp-capability-and-admin-privileges) +- [Atomic Test #2 - Activate Guest Account](#atomic-test-2---activate-guest-account) +
@@ -58,4 +60,36 @@ if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentCon +
+
+ +## Atomic Test #2 - Activate Guest Account +The Adversaries can activate the default Guest user. The guest account is inactivated by default + +**Supported Platforms:** Windows + + +**auto_generated_guid:** aa6cb8c4-b582-4f8e-b677-37733914abda + + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +net user guest /active:yes +``` + +#### Cleanup Commands: +```cmd +net user guest /active:no +``` + + + + +