security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1531/T1531.yaml
T
Josh Rickard 284886292b Atomic Red Team - JSON Schema Validation CI (#2303) 
* feat: Adding atomic-red-team JSON Schema defintions

* feat: Adding validate.py script to validate all atomics against the defined schema

* feat: Adding validate-schema GitHub Workflow action to validate on every push to the repo

* ci: Updated the validate-schema workflow to support and use Ruby instead of python

* fix: Updated schema to remove schema draft version (not necessarily needed) and update to remove elevation_required as a required defined property

* fix: Removed the yaml schema version

* docs: Adding start of README

* fix: Adding an updated/better version of the python validation but may ultimately be removed

* feat: Adding Ruby version of validate.rb script

* fix: Removing files not needed since we are changing to github action and using the new validation code

* fix: Adding the yaml schema file back and removed the json version

* docs: Updated README with documentation

* fix: Updating schema to use new format validator

* fix: Updated validate.rb to verify that the Technique IDs are in the correct format.

* fix: Upating validate.rb to raise execptions so that failures flow up to the GitHub Action workflow

* fix: Updated all tests that have input_arguments not conformaing to schema defintion for type value of path

* fix: Updating the Validaton README for typos

* fixL: Minor updates to the schema

* minor schema changes

* github actions fix

* schema changes

---------

Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: Hare Sudhan <code@0x6c.dev>
2023-05-12 15:33:47 -06:00

213 lines
8.9 KiB
YAML
Raw Permalink Blame History

attack_technique: T1531
display_name: Account Access Removal
atomic_tests:
- name: Change User Password - Windows
auto_generated_guid: 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2
description: |
Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with
the password "HuHuHUHoHo283283".
supported_platforms:
- windows
input_arguments:
user_account:
description: User account whose password will be changed.
type: string
default: AtomicAdministrator
new_user_password:
description: Password to use if user account must be created first
type: string
default: User2ChangePW!
new_password:
description: New password for the specified account.
type: string
default: HuHuHUHoHo283283@dJD
executor:
command: |
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} #{new_password}
cleanup_command: |
net.exe user #{user_account} /delete >nul 2>&1
name: command_prompt
elevation_required: true
- name: Delete User - Windows
auto_generated_guid: f21a1d7d-a62f-442a-8c3a-2440d43b19e5
description: |
Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.
supported_platforms:
- windows
input_arguments:
new_user_password:
description: Password to use if user account must be created first
type: string
default: User2DeletePW!
user_account:
description: User account to be deleted.
type: string
default: AtomicUser
executor:
command: |
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} /delete
name: command_prompt
elevation_required: true
- name: Remove Account From Domain Admin Group
auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947
description: |
This test will remove an account from the domain admins group
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
Requires the Active Directory module for powershell to be installed.
prereq_command: |
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
get_prereq_command: |
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
input_arguments:
super_user:
description: Account used to run the execution command (must include domain).
type: string
default: 'domain\super_user'
super_pass:
description: super_user account password.
type: string
default: "password"
remove_user:
description: Account to remove from domain admins.
type: string
default: "remove_user"
executor:
command: |
$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
} else{
write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
}
name: powershell
elevation_required: false
- name: Change User Password via passwd
auto_generated_guid: 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6
description: |
This test changes the user password to hinder access to the account using passwd utility.
supported_platforms:
- macos
- linux
input_arguments:
user_account:
description: User account whose password will be changed.
type: string
default: ARTUser
executor:
command: |
passwd #{user_account} #enter admin password > enter new password > confirm new password
name: sh
elevation_required: true
- name: Delete User via dscl utility
auto_generated_guid: 4d938c43-2fe8-4d70-a5b3-5bf239aa7846
description: |
This test deletes the user account using the dscl utility.
supported_platforms:
- macos
input_arguments:
user_account:
description: User account which will be deleted.
type: string
default: ARTUser
user_password:
description: User password.
type: string
default: ARTPassword
executor:
command: |
dscl . -delete /Users/#{user_account} #enter admin password
cleanup_command: |
dscl . -create /Users/#{user_account} #enter admin password
dscl . -create /Users/#{user_account} UserShell /bin/bash
dscl . -create /Users/#{user_account} UniqueID 503
dscl . -create /Users/#{user_account} NFSHomeDirectory /Users/#{user_account}
dscl . -passwd /Users/#{user_account} #{user_password} #enter password for new user
name: sh
elevation_required: true
- name: Delete User via sysadminctl utility
auto_generated_guid: d3812c4e-30ee-466a-a0aa-07e355b561d6
description: |
This test deletes the user account using the sysadminctl utility.
supported_platforms:
- macos
input_arguments:
user_account:
description: User account which will be deleted.
type: string
default: ARTUserAccount
user_name:
description: New user name.
type: string
default: ARTUser
user_password:
description: New user password.
type: string
default: ARTPassword
executor:
command: |
sysadminctl -deleteUser #{user_account} #enter admin password
cleanup_command: |
sysadminctl -addUser #{user_account} -fullName "#{user_name}" -password #{user_password}
name: sh
elevation_required: true
- name: Azure AD - Delete user via Azure AD PowerShell
auto_generated_guid: 4f577511-dc1c-4045-bcb8-75d2457f01f4
description: Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
supported_platforms:
- azure-ad
input_arguments:
userprincipalname:
description: User principal name (UPN) for the Azure user being deleted
type: string
default: "atomicredteam@yourdomain.com"
dependency_executor_name: powershell
dependencies:
- description: Check if AzureAD PowerShell module is installed
prereq_command: Get-InstalledModule -Name AzureAD
get_prereq_command: echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
- description: Check if AzureAD PowerShell module is installed
prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
executor:
command: |-
Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
Remove-AzureADUser -ObjectId $userprincipalname
cleanup_command: N/A
name: powershell
- name: Azure AD - Delete user via Azure CLI
auto_generated_guid: c955c1c7-3145-4a22-af2d-63eea0d967f0
description: Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
supported_platforms:
- azure-ad
input_arguments:
userprincipalname:
description: User principal name (UPN) for the Azure user being deleted
type: string
default: "atomicredteam@yourdomain.com"
dependency_executor_name: powershell
dependencies:
- description: Check if Azure CLI is installed and install manually
prereq_command: az account list
get_prereq_command: echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
- description: Check if Azure CLI is installed and install via PowerShell
prereq_command: az account list
get_prereq_command: echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
- description: Update the userprincipalname to meet your requirements
prereq_command: Update the input arguments so the userprincipalname value is accurate for your environment
get_prereq_command: echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
executor:
command: |-
az login
$userprincipalname = "#{userprincipalname}"
az ad user delete --id $userprincipalname
cleanup_command: N/A
name: powershell
Reference in New Issue View Git Blame Copy Permalink