Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) In Windows, [Net](https://attack.mitre.org/software/S0039) utility,Set-LocalUserandSet-ADAccountPassword[PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, thepasswdutility may be used to change passwords. Accounts could also be disabled by Group Policy. Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective.
Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account “AtomicAdministrator” with the password “HuHuHUHoHo283283”.
Supported Platforms: Windows
auto_generated_guid: 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2
| Name | Description | Type | Default Value | |——|————-|——|—————| | user_account | User account whose password will be changed. | string | AtomicAdministrator| | new_user_password | Password to use if user account must be created first | string | User2ChangePW!| | new_password | New password for the specified account. | string | HuHuHUHoHo283283@dJD|
1
command_prompt
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} #{new_password}
net.exe user #{user_account} /delete >nul 2>&1
Deletes a user account to prevent access. Upon execution, run the command “net user” to verify that the new “AtomicUser” account was deleted.
Supported Platforms: Windows
auto_generated_guid: f21a1d7d-a62f-442a-8c3a-2440d43b19e5
| Name | Description | Type | Default Value | |——|————-|——|—————| | new_user_password | Password to use if user account must be created first | string | User2DeletePW!| | user_account | User account to be deleted. | string | AtomicUser|
1
command_prompt
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} /delete
This test will remove an account from the domain admins group
Supported Platforms: Windows
auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947
| Name | Description | Type | Default Value | |——|————-|——|—————| | super_user | Account used to run the execution command (must include domain). | string | domain\super_user| | super_pass | super_user account password. | string | password| | remove_user | Account to remove from domain admins. | string | remove_user|
1
powershell
1
2
3
4
5
6
7
$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
} else{
write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
}
1
powershell
1
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
1
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
This test changes the user password to hinder access to the account using passwd utility.
Supported Platforms: macOS, Linux
auto_generated_guid: 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6
| Name | Description | Type | Default Value | |——|————-|——|—————| | user_account | User account whose password will be changed. | string | ARTUser|
1
sh
1
passwd #{user_account} #enter admin password > enter new password > confirm new password
This test deletes the user account using the dscl utility.
Supported Platforms: macOS
auto_generated_guid: 4d938c43-2fe8-4d70-a5b3-5bf239aa7846
| Name | Description | Type | Default Value | |——|————-|——|—————| | user_account | User account which will be deleted. | string | ARTUser| | user_password | User password. | string | ARTPassword|
1
sh
1
dscl . -delete /Users/#{user_account} #enter admin password
1
2
3
4
5
dscl . -create /Users/#{user_account} #enter admin password
dscl . -create /Users/#{user_account} UserShell /bin/bash
dscl . -create /Users/#{user_account} UniqueID 503
dscl . -create /Users/#{user_account} NFSHomeDirectory /Users/#{user_account}
dscl . -passwd /Users/#{user_account} #{user_password} #enter password for new user
This test deletes the user account using the sysadminctl utility.
Supported Platforms: macOS
auto_generated_guid: d3812c4e-30ee-466a-a0aa-07e355b561d6
| Name | Description | Type | Default Value | |——|————-|——|—————| | user_account | User account which will be deleted. | string | ARTUserAccount| | user_name | New user name. | string | ARTUser| | user_password | New user password. | string | ARTPassword|
1
sh
1
sysadminctl -deleteUser #{user_account} #enter admin password
1
sysadminctl -addUser #{user_account} -fullName "#{user_name}" -password #{user_password}
Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
Supported Platforms: Azure-ad
auto_generated_guid: 4f577511-dc1c-4045-bcb8-75d2457f01f4
| Name | Description | Type | Default Value | |——|————-|——|—————| | userprincipalname | User principal name (UPN) for the Azure user being deleted | string | atomicredteam@yourdomain.com|
1
powershell
1
2
3
Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
Remove-AzureADUser -ObjectId $userprincipalname
1
N/A
1
powershell
1
Get-InstalledModule -Name AzureAD
1
echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
1
Update the input arguments so the userprincipalname value is accurate for your environment
1
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
Supported Platforms: Azure-ad
auto_generated_guid: c955c1c7-3145-4a22-af2d-63eea0d967f0
| Name | Description | Type | Default Value | |——|————-|——|—————| | userprincipalname | User principal name (UPN) for the Azure user being deleted | string | atomicredteam@yourdomain.com|
1
powershell
1
2
3
az login
$userprincipalname = "#{userprincipalname}"
az ad user delete --id $userprincipalname
1
N/A
1
powershell
1
az account list
1
echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
1
az account list
1
echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
1
Update the input arguments so the userprincipalname value is accurate for your environment
1
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"