CircleCI Atomic Red Team doc generator
1.9 KiB
1.9 KiB
T1531 - Account Access Removal
Description from ATT&CK
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
Atomic Tests
Atomic Test #1 - Change User Password - Windows
Changes the user password to hinder access attempts. Seen in use by LockerGoga.
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_account | User account whose password will be changed. | string | Administrator |
| new_password | New password for the specified account. | string | HuHuHUHoHo283283@dJD |
Run it with command_prompt! Elevation Required (e.g. root or admin)
net.exe user #{user_account} #{new_password}
Commands to Check Prerequisites:
net.exe user #{user_account}
Atomic Test #2 - Delete User - Windows
Deletes a user account to prevent access.
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_account | User account to be deleted. | string | AtomicUser |
Run it with command_prompt! Elevation Required (e.g. root or admin)
net.exe user #{user_account} /delete
Commands to Check Prerequisites:
net.exe user #{user_account} /add
net.exe user #{user_account} P@$$w0rd