T1531 - Account Access Removal

Description from ATT&CK (opens in a new tab)

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot (opens in a new tab) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)

In Windows, Net (opens in a new tab) utility, Set-LocalUser and Set-ADAccountPassword PowerShell (opens in a new tab) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.

Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction (opens in a new tab) and Defacement (opens in a new tab), in order to impede incident response/recovery before completing the Data Encrypted for Impact (opens in a new tab) objective.

Atomic Tests

• Atomic Test #1 - Change User Password - Windows

• Atomic Test #2 - Delete User - Windows

• Atomic Test #3 - Remove Account From Domain Admin Group

• Atomic Test #4 - Change User Password via passwd

• Atomic Test #5 - Delete User via dscl utility

• Atomic Test #6 - Delete User via sysadminctl utility

• Atomic Test #7 - Azure AD - Delete user via Azure AD PowerShell

• Atomic Test #8 - Azure AD - Delete user via Azure CLI

Atomic Test #1 - Change User Password - Windows

Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with the password "HuHuHUHoHo283283".

Supported Platforms: Windows

auto_generated_guid: 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2

Inputs:

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} #{new_password}

Cleanup Commands:

net.exe user #{user_account} /delete >nul 2>&1

Atomic Test #2 - Delete User - Windows

Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.

Supported Platforms: Windows

auto_generated_guid: f21a1d7d-a62f-442a-8c3a-2440d43b19e5

Inputs:

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} /delete

Atomic Test #3 - Remove Account From Domain Admin Group

This test will remove an account from the domain admins group

Supported Platforms: Windows

auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947

Inputs:

Attack Commands: Run with powershell!

$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
  Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
} else{
    write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
}

Dependencies: Run with powershell!

Description: Requires the Active Directory module for powershell to be installed.

Check Prereq Commands:

if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}

Get Prereq Commands:

Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"

Atomic Test #4 - Change User Password via passwd

This test changes the user password to hinder access to the account using passwd utility.

Supported Platforms: macOS, Linux

auto_generated_guid: 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6

Inputs:

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

passwd #{user_account} #enter admin password > enter new password > confirm new password

Atomic Test #5 - Delete User via dscl utility

This test deletes the user account using the dscl utility.

Supported Platforms: macOS

auto_generated_guid: 4d938c43-2fe8-4d70-a5b3-5bf239aa7846

Inputs:

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

dscl . -delete /Users/#{user_account} #enter admin password

Cleanup Commands:

dscl . -create /Users/#{user_account} #enter admin password
dscl . -create /Users/#{user_account} UserShell /bin/bash
dscl . -create /Users/#{user_account} UniqueID 503
dscl . -create /Users/#{user_account} NFSHomeDirectory /Users/#{user_account}
dscl . -passwd /Users/#{user_account} #{user_password} #enter password for new user

Atomic Test #6 - Delete User via sysadminctl utility

This test deletes the user account using the sysadminctl utility.

Supported Platforms: macOS

auto_generated_guid: d3812c4e-30ee-466a-a0aa-07e355b561d6

Inputs:

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sysadminctl -deleteUser #{user_account} #enter admin password

Cleanup Commands:

sysadminctl -addUser #{user_account} -fullName "#{user_name}" -password #{user_password}

Atomic Test #7 - Azure AD - Delete user via Azure AD PowerShell

Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.

Supported Platforms: Azure-ad

auto_generated_guid: 4f577511-dc1c-4045-bcb8-75d2457f01f4

Inputs:

Attack Commands: Run with powershell!

Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
Remove-AzureADUser -ObjectId $userprincipalname

Cleanup Commands:

N/A

Dependencies: Run with powershell!

Description: Check if AzureAD PowerShell module is installed

Check Prereq Commands:

Get-InstalledModule -Name AzureAD

Get Prereq Commands:

echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"

Description: Check if AzureAD PowerShell module is installed

Check Prereq Commands:

Update the input arguments so the userprincipalname value is accurate for your environment

Get Prereq Commands:

echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"

Atomic Test #8 - Azure AD - Delete user via Azure CLI

Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.

Supported Platforms: Azure-ad

auto_generated_guid: c955c1c7-3145-4a22-af2d-63eea0d967f0

Inputs:

Attack Commands: Run with powershell!

az login
$userprincipalname = "#{userprincipalname}"
az ad user delete --id $userprincipalname

Cleanup Commands:

N/A

Dependencies: Run with powershell!

Description: Check if Azure CLI is installed and install manually

Check Prereq Commands:

az account list

Get Prereq Commands:

echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"

Description: Check if Azure CLI is installed and install via PowerShell

Check Prereq Commands:

az account list

Get Prereq Commands:

echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"

Description: Update the userprincipalname to meet your requirements

Check Prereq Commands:

Update the input arguments so the userprincipalname value is accurate for your environment

Get Prereq Commands:

echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"