From eccacb66b47900aa30a778705c3283c786fa23d5 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 26 Oct 2020 04:12:11 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=oscd

---
 atomics/Indexes/Indexes-CSV/index.csv         |  3 +-
 atomics/Indexes/Indexes-CSV/macos-index.csv   |  3 +-
 atomics/Indexes/Indexes-Markdown/index.md     |  3 +-
 .../Indexes/Indexes-Markdown/macos-index.md   |  3 +-
 atomics/Indexes/index.yaml                    | 26 +++++++++++-
 atomics/T1564.002/T1564.002.md                | 41 +++++++++++++++++--
 atomics/T1564.002/T1564.002.yaml              |  1 +
 atomics/used_guids.txt                        |  1 +
 8 files changed, 72 insertions(+), 9 deletions(-)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index c2af2035..5769344d 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -305,7 +305,8 @@ defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden F
 defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
 defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
-defense-evasion,T1564.002,Hidden Users,1,Hidden Users,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
+defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
+defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index bbb3b066..2668978b 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -63,7 +63,8 @@ defense-evasion,T1564.001,Hidden Files and Directories,2,Mac Hidden file,cddb909
 defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
 defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
-defense-evasion,T1564.002,Hidden Users,1,Hidden Users,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
+defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
+defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index accc98d5..2d5ef521 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -592,7 +592,8 @@
   - Atomic Test #6: Hide a Directory [macos]
   - Atomic Test #7: Show all hidden files [macos]
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
-  - Atomic Test #1: Hidden Users [macos]
+  - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
+  - Atomic Test #2: Create Hidden User using IsHidden option [macos]
 - [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
   - Atomic Test #1: Hidden Window [windows]
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index 76149e4d..971550db 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -159,7 +159,8 @@
   - Atomic Test #6: Hide a Directory [macos]
   - Atomic Test #7: Show all hidden files [macos]
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
-  - Atomic Test #1: Hidden Users [macos]
+  - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
+  - Atomic Test #2: Create Hidden User using IsHidden option [macos]
 - T1564.003 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index fb56af56..f8a8d228 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -26259,9 +26259,10 @@ defense-evasion:
       - macOS
       identifier: T1564.002
     atomic_tests:
-    - name: Hidden Users
+    - name: Create Hidden User using UniqueID < 500
       auto_generated_guid: 4238a7f0-a980-4fff-98a2-dfc0a363d507
-      description: 'Add a hidden user on MacOS
+      description: 'Add a hidden user on macOS using Unique ID < 500 (users with that
+        ID are hidden by default)
 
 '
       supported_platforms:
@@ -26277,6 +26278,27 @@ defense-evasion:
 '
         cleanup_command: 'sudo dscl . -delete /Users/#{user_name}
 
+'
+        elevation_required: true
+        name: sh
+    - name: Create Hidden User using IsHidden option
+      auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31
+      description: 'Add a hidden user on macOS using IsHidden optoin
+
+'
+      supported_platforms:
+      - macos
+      input_arguments:
+        user_name:
+          description: username to add
+          type: string
+          default: APT
+      executor:
+        command: 'sudo dscl . -create /Users/#{user_name} IsHidden 1
+
+'
+        cleanup_command: 'sudo dscl . -delete /Users/#{user_name}
+
 '
         elevation_required: true
         name: sh
diff --git a/atomics/T1564.002/T1564.002.md b/atomics/T1564.002/T1564.002.md
index 813905a4..360f5d27 100644
--- a/atomics/T1564.002/T1564.002.md
+++ b/atomics/T1564.002/T1564.002.md
@@ -6,13 +6,15 @@ There is a property value in <code>/Library/Preferences/com.apple.loginwindow</c
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Hidden Users](#atomic-test-1---hidden-users)
+- [Atomic Test #1 - Create Hidden User using UniqueID < 500](#atomic-test-1---create-hidden-user-using-uniqueid--500)
+
+- [Atomic Test #2 - Create Hidden User using IsHidden option](#atomic-test-2---create-hidden-user-using-ishidden-option)
 
 
 <br/>
 
-## Atomic Test #1 - Hidden Users
-Add a hidden user on MacOS
+## Atomic Test #1 - Create Hidden User using UniqueID < 500
+Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default)
 
 **Supported Platforms:** macOS
 
@@ -41,4 +43,37 @@ sudo dscl . -delete /Users/#{user_name}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Create Hidden User using IsHidden option
+Add a hidden user on macOS using IsHidden optoin
+
+**Supported Platforms:** macOS
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| user_name | username to add | string | APT|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sudo dscl . -create /Users/#{user_name} IsHidden 1
+```
+
+#### Cleanup Commands:
+```sh
+sudo dscl . -delete /Users/#{user_name}
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1564.002/T1564.002.yaml b/atomics/T1564.002/T1564.002.yaml
index 29c295e0..af44fdff 100644
--- a/atomics/T1564.002/T1564.002.yaml
+++ b/atomics/T1564.002/T1564.002.yaml
@@ -20,6 +20,7 @@ atomic_tests:
     elevation_required: true
     name: sh
 - name: Create Hidden User using IsHidden option
+  auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31
   description: |
     Add a hidden user on macOS using IsHidden optoin
   supported_platforms:
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index aba0c5ed..66e89d2d 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -585,3 +585,4 @@ dc7726d2-8ccb-4cc6-af22-0d5afb53a548
 3c898f62-626c-47d5-aad2-6de873d69153
 cf3391e0-b482-4b02-87fc-ca8362269b29
 c3e35b58-fe1c-480b-b540-7600fb612563
+de87ed7b-52c3-43fd-9554-730f695e7f31