T1531 - Account Access Removal#
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
In Windows, Net utility, Set-LocalUser and Set-ADAccountPassword PowerShell cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.
Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.
Atomic Tests#
Atomic Test #1 - Change User Password - WindowsChanges the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account “AtomicAdministrator” with#
the password “HuHuHUHoHo283283”.
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
net user AtomicAdministrator User2ChangePW! /add
net.exe user AtomicAdministrator HuHuHUHoHo283283@dJD
Invoke-AtomicTest T1531 -TestNumbers 1
Cleanup:#
net.exe user AtomicAdministrator /delete >nul 2>&1
Invoke-AtomicTest T1531 -TestNumbers 1 -Cleanup
Atomic Test #2 - Delete User - WindowsDeletes a user account to prevent access. Upon execution, run the command “net user” to verify that the new “AtomicUser” account was deleted.#
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
net user AtomicUser User2DeletePW! /add
net.exe user AtomicUser /delete
Invoke-AtomicTest T1531 -TestNumbers 2
Atomic Test #3 - Remove Account From Domain Admin Group#
This test will remove an account from the domain admins group
Supported Platforms: windows
Elevation Required (e.g. root or admin)
Dependencies: Run with powershell!#
Description: Requires the Active Directory module for powershell to be installed.#
Check Prereq Commands:#
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
Get Prereq Commands:#
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
Invoke-AtomicTest T1531 -TestNumbers 3 -GetPreReqs
Attack Commands: Run with powershell#
$PWord = ConvertTo-SecureString -String password -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList domain\super_user, $PWord
if((Get-ADUser remove_user -Properties memberof).memberof -like "CN=Domain Admins*"){
Remove-ADGroupMember -Identity "Domain Admins" -Members remove_user -Credential $Credential -Confirm:$False
} else{
write-host "Error - Make sure remove_user is in the domain admins group" -foregroundcolor Red
}
Invoke-AtomicTest T1531 -TestNumbers 3
Atomic Test #4 - Change User Password via passwdThis test changes the user password to hinder access to the account using passwd utility.#
Supported Platforms: macos, linux
Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh
passwd ARTUser #enter admin password > enter new password > confirm new password
Invoke-AtomicTest T1531 -TestNumbers 4
Atomic Test #5 - Delete User via dscl utilityThis test deletes the user account using the dscl utility.#
Supported Platforms: macos
Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh
dscl . -delete /Users/ARTUser #enter admin password
Invoke-AtomicTest T1531 -TestNumbers 5
Cleanup:#
dscl . -create /Users/ARTUser #enter admin password
dscl . -create /Users/ARTUser UserShell /bin/bash
dscl . -create /Users/ARTUser UniqueID 503
dscl . -create /Users/ARTUser NFSHomeDirectory /Users/ARTUser
dscl . -passwd /Users/ARTUser ARTPassword #enter password for new user
Invoke-AtomicTest T1531 -TestNumbers 5 -Cleanup
Atomic Test #6 - Delete User via sysadminctl utilityThis test deletes the user account using the sysadminctl utility.#
Supported Platforms: macos
Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh
sysadminctl -deleteUser ARTUserAccount #enter admin password
Invoke-AtomicTest T1531 -TestNumbers 6
Cleanup:#
sysadminctl -addUser ARTUserAccount -fullName "ARTUser" -password ARTPassword
Invoke-AtomicTest T1531 -TestNumbers 6 -Cleanup
Atomic Test #7 - Azure AD - Delete user via Azure AD PowerShell#
Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts. Supported Platforms: azure-ad
Dependencies: Run with powershell!#
Description: Check if AzureAD PowerShell module is installed#
Check Prereq Commands:#
Get-InstalledModule -Name AzureAD
Get Prereq Commands:#
echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
Description: Check if AzureAD PowerShell module is installed#
Check Prereq Commands:#
Update the input arguments so the userprincipalname value is accurate for your environment
Get Prereq Commands:#
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
Invoke-AtomicTest T1531 -TestNumbers 7 -GetPreReqs
Attack Commands: Run with powershell#
Connect-AzureAD
$userprincipalname = "atomicredteam@yourdomain.com"
Remove-AzureADUser -ObjectId $userprincipalname```
Invoke-AtomicTest T1531 -TestNumbers 7
Cleanup:#
N/A```
Invoke-AtomicTest T1531 -TestNumbers 7 -Cleanup
Atomic Test #8 - Azure AD - Delete user via Azure CLI#
Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts. Supported Platforms: azure-ad
Dependencies: Run with powershell!#
Description: Check if Azure CLI is installed and install manually#
Check Prereq Commands:#
az account list
Get Prereq Commands:#
echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
Description: Check if Azure CLI is installed and install via PowerShell#
Check Prereq Commands:#
az account list
Get Prereq Commands:#
echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
Description: Update the userprincipalname to meet your requirements#
Check Prereq Commands:#
Update the input arguments so the userprincipalname value is accurate for your environment
Get Prereq Commands:#
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
Invoke-AtomicTest T1531 -TestNumbers 8 -GetPreReqs
Attack Commands: Run with powershell#
az login
$userprincipalname = "atomicredteam@yourdomain.com"
az ad user delete --id $userprincipalname```
Invoke-AtomicTest T1531 -TestNumbers 8
Cleanup:#
N/A```
Invoke-AtomicTest T1531 -TestNumbers 8 -Cleanup
Detection#
Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of Net. Windows event logs may also designate activity associated with an adversary’s attempt to remove access to an account:
Event ID 4723 - An attempt was made to change an account’s password
Event ID 4724 - An attempt was made to reset an account’s password
Event ID 4726 - A user account was deleted
Event ID 4740 - A user account was locked out
Alerting on Net and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
Shield Active Defense#
System Activity Monitoring#
Collect system activity logs which can reveal adversary activity.
Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system.
Opportunity#
There is an opportunity to create a detection with a moderately high probability of success.
Use Case#
A defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc.
Procedures#
Ensure that systems capture and retain common system level activity artifacts that might be produced. Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc.