T1098: Account Manipulation
Author: Stefan Waldvogel
LimaCharlie vs. Account Manipulation
Overview:
Description from ATT&CK
Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1098.001 -ShowDetailsBrief
Invoke-AtomicTest T1098.001 -CheckPrereqs
Invoke-AtomicTest T1098.001 -GetPrereqs
Invoke-AtomicTest T1098.001 -TestNumbers 1
Invoke-AtomicTest T1098.001 -Cleanup
Changes:
Created Artifact Collection Rules
Limitations:
Results:
This section has 2 subtests.
Invoke-AtomicTest T1098.001 -TestNumbers 1 (Admin Account Manipulate)
-> Powershell detected, but not the creation
Invoke-AtomicTest T1098.001 -TestNumbers 2, detected via wel but very slow
Improvements:
auditpol /set /subcategory:"computer account management" /Success:Enable /Failure:Enable
Description from ATT&CK
Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.
Source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1098.001 -ShowDetailsBrief
Invoke-AtomicTest T1098.001 -CheckPrereqs
Invoke-AtomicTest T1098.001 -GetPrereqs
Invoke-AtomicTest T1098.001 -TestNumbers 1
Invoke-AtomicTest T1098.001 -Cleanup
Changes:
Created Artifact Collection Rules
Limitations:
Results:
This section has 2 subtests.
Invoke-AtomicTest T1098.001 -TestNumbers 1 (Admin Account Manipulate)
-> Powershell detected, but not the creation
Invoke-AtomicTest T1098.001 -TestNumbers 2, detected via wel but very slow
Improvements:
auditpol /set /subcategory:"computer account management" /Success:Enable /Failure:Enable
With LimaCharlie we can create Artifact Collection Rules.
We can extract the event id with (?) -> I have to test more, getting the event logs looks slow.:
wel://Security:Event[Security[EventID=4738]]
Possible other option:
We can extract the event id with (?) -> I have to test more, getting the event logs looks slow.:
wel://Security:Event[Security[EventID=4738]]
Possible other option:
Detection needs some time. The following user is a domain user, I am not sure why the rule said "Local User Creation."
Unwanted side effect:
Digest windows event logs takes time and you see "old" incidents unless you move the event logs every day to a new place.
Digest windows event logs takes time and you see "old" incidents unless you move the event logs every day to a new place.
© 2021. This work is licensed under a CC BY-SA 4.0 license