Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
Changes the user password to hinder access attempts. Seen in use by LockerGoga.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_account | User account whose password will be changed. | string | AtomicAdministrator |
| new_password | New password for the specified account. | string | HuHuHUHoHo283283@dJD |
| new_user_password | Password to use if user account must be created first | string | User2ChangePW! |
net.exe user #{user_account} #{new_password}
net.exe user #{user_account} /delete
net user #{user_account}
net user #{user_account} #{new_user_password} /add
Deletes a user account to prevent access.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_account | User account to be deleted. | string | AtomicUser |
| new_user_password | Password to use if user account must be created first | string | User2DeletePW! |
net.exe user #{user_account} /delete
net user #{user_account}
net user #{user_account} #{new_user_password} /add