attack_technique: T1531
display_name: Account Access Removal
atomic_tests:
- name: Change User Password - Windows
  auto_generated_guid: 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2
  description: |
    Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with
    the password "HuHuHUHoHo283283".
  supported_platforms:
  - windows
  input_arguments:
    user_account:
      description: User account whose password will be changed.
      type: string
      default: AtomicAdministrator
    new_user_password:
      description: Password to use if user account must be created first
      type: string
      default: User2ChangePW!
    new_password:
      description: New password for the specified account.
      type: string
      default: HuHuHUHoHo283283@dJD
  executor:
    command: |
      net user #{user_account} #{new_user_password} /add
      net.exe user #{user_account} #{new_password}
    cleanup_command: |
      net.exe user #{user_account} /delete >nul 2>&1
    name: command_prompt
    elevation_required: true
- name: Delete User - Windows
  auto_generated_guid: f21a1d7d-a62f-442a-8c3a-2440d43b19e5
  description: |
    Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.
  supported_platforms:
  - windows
  input_arguments:
    new_user_password:
      description: Password to use if user account must be created first
      type: string
      default: User2DeletePW!
    user_account:
      description: User account to be deleted.
      type: string
      default: AtomicUser
  executor:
    command: |
      net user #{user_account} #{new_user_password} /add
      net.exe user #{user_account} /delete
    name: command_prompt
    elevation_required: true
- name: Remove Account From Domain Admin Group
  auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947
  description: |
    This test will remove an account from the domain admins group
  supported_platforms:
  - windows
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Requires the Active Directory module for powershell to be installed.
    prereq_command: |
      if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
    get_prereq_command: |
      Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
  input_arguments:
    super_user:
      description: Account used to run the execution command (must include domain).
      type: string
      default: 'domain\super_user'
    super_pass:
      description: super_user account password.
      type: string
      default: "password"
    remove_user:
      description: Account to remove from domain admins.
      type: string
      default: "remove_user"
  executor:
    command: |
      $PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
      if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
        Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
      } else{
          write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
      }
    name: powershell
    elevation_required: false
- name: Change User Password via passwd
  auto_generated_guid: 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6
  description: |
    This test changes the user password to hinder access to the account using passwd utility.
  supported_platforms:
  - macos
  - linux
  input_arguments:
    user_account:
      description: User account whose password will be changed.
      type: string
      default: ARTUser
  executor:
    command: |
      passwd #{user_account} #enter admin password > enter new password > confirm new password
    name: sh
    elevation_required: true
- name: Delete User via dscl utility
  auto_generated_guid: 4d938c43-2fe8-4d70-a5b3-5bf239aa7846
  description: |
    This test deletes the user account using the dscl utility.
  supported_platforms:
  - macos
  input_arguments:
    user_account:
      description: User account which will be deleted.
      type: string
      default: ARTUser
    user_password:
      description: User password.
      type: string
      default: ARTPassword
  executor:
    command: |
      dscl . -delete /Users/#{user_account} #enter admin password
    cleanup_command: |
      dscl . -create /Users/#{user_account} #enter admin password
      dscl . -create /Users/#{user_account} UserShell /bin/bash
      dscl . -create /Users/#{user_account} UniqueID 503
      dscl . -create /Users/#{user_account} NFSHomeDirectory /Users/#{user_account}
      dscl . -passwd /Users/#{user_account} #{user_password} #enter password for new user
    name: sh
    elevation_required: true
- name: Delete User via sysadminctl utility
  auto_generated_guid: d3812c4e-30ee-466a-a0aa-07e355b561d6
  description: |
    This test deletes the user account using the sysadminctl utility.
  supported_platforms:
  - macos
  input_arguments:
    user_account:
      description: User account which will be deleted.
      type: string
      default: ARTUserAccount
    user_name:
      description: New user name.
      type: string
      default: ARTUser
    user_password:
      description: New user password.
      type: string
      default: ARTPassword
  executor:
    command: |
      sysadminctl -deleteUser #{user_account} #enter admin password
    cleanup_command: |
      sysadminctl -addUser #{user_account} -fullName "#{user_name}" -password #{user_password}
    name: sh
    elevation_required: true
- name: Azure AD - Delete user via Azure AD PowerShell
  auto_generated_guid: 4f577511-dc1c-4045-bcb8-75d2457f01f4
  description: Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
  supported_platforms:
  - azure-ad
  input_arguments:
    userprincipalname:
      description: User principal name (UPN) for the Azure user being deleted
      type: string
      default: "atomicredteam@yourdomain.com"
  dependency_executor_name: powershell
  dependencies:
  - description: Check if AzureAD PowerShell module is installed
    prereq_command: Get-InstalledModule -Name AzureAD
    get_prereq_command: echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
  - description: Check if AzureAD PowerShell module is installed
    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
  executor:
    command: |-
      Connect-AzureAD
      $userprincipalname = "#{userprincipalname}"
      Remove-AzureADUser -ObjectId $userprincipalname
    cleanup_command: N/A
    name: powershell
- name: Azure AD - Delete user via Azure CLI
  auto_generated_guid: c955c1c7-3145-4a22-af2d-63eea0d967f0
  description: Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
  supported_platforms:
  - azure-ad
  input_arguments:
    userprincipalname:
      description: User principal name (UPN) for the Azure user being deleted
      type: string
      default: "atomicredteam@yourdomain.com"
  dependency_executor_name: powershell
  dependencies:
  - description: Check if Azure CLI is installed and install manually
    prereq_command: az account list
    get_prereq_command: echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
  - description: Check if Azure CLI is installed and install via PowerShell
    prereq_command: az account list
    get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
  - description: Update the userprincipalname to meet your requirements
    prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
    get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
  executor:
    command: |-
      az login
      $userprincipalname = "#{userprincipalname}"
      az ad user delete --id $userprincipalname
    cleanup_command: N/A
    name: powershell