Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with the password "HuHuHUHoHo283283".
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_account | User account whose password will be changed. | string | AtomicAdministrator |
| new_user_password | Password to use if user account must be created first | string | User2ChangePW! |
| new_password | New password for the specified account. | string | HuHuHUHoHo283283@dJD |
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} #{new_password}net.exe user #{user_account} /delete >nul 2>&1Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| new_user_password | Password to use if user account must be created first | string | User2DeletePW! |
| user_account | User account to be deleted. | string | AtomicUser |
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} /deleteThis test will remove an account from the domain admins group
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| super_user | Account used to run the execution command (must include domain). | string | domain\super_user |
| super_pass | super_user account password. | string | password |
| remove_user | Account to remove from domain admins. | string | remove_user |
$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
} else{
write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
}if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"