Graphical user interface, text Description automatically generated

Are you like me and always end up searching for easy stuff that you know but you just can’t remember the syntax all the time?

Well don’t worry I’ve got your back

Text

Description automatically generated

Command line

net user secaudit [email protected]! /ADD

net user secaudit /active:yes

net localgroup administrators /add secaudit

The commands above:

  • Create a user account named “secaudit” with a password of “[email protected]!”
  • Ensure the account is marked as active
  • Add the account to the local administrators group

Powershell

We can do the same via PowerShell (note that using password on the command line is not a great idea from an opsec perspective!)

$password = ConvertTo-SecureString “[email protected]!” -AsPlainText -Force #really bad for opsec

New-LocalUser -Name SecurityAuditor -Password $password -FullName “Security Auditor Powershell Demo”

Add-LocalGroupMember -Group Administrators -Member “SecurityAuditor”

Enable-LocalUser -Name SecurityAuditor

Graphical user interface, text

Description automatically generated

Powershell and ADSI

We can also create local accounts using the Windows NT provider via ADSI

$computer=[ADSI]”WinNT://$env:COMPUTERNAME”

$username = “hacker001”

$user=$computer.Create(‘User’, $username)

$user.SetPassword(“[email protected]!!”)

$user.SetInfo()

# . = localhost

$group=[ADSI]”WinNT://./Users”

$group.Add($user.Path)

Graphical user interface, text

Description automatically generated

Encoded Commands

Ok so this is something if you are planning on doing security testing will want to know about, how do we encode commands and pass them? well sometimes we want a cool way of preparing a payload (set of code/commands) and then executing these in a way that can be sent in a URL string or other fashion.

So here is a quick script to concert the commands to base64 encoding and then copy them to the clipboard!

#Help me obfuscate or cram code into a space

$cleartext = “net user secaudit [email protected]! /ADD;net user secaudit /active:yes;net localgroup administrators /add secaudit”
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cleartext)
$encoded =[Convert]::ToBase64String($bytes)
$encoded

write-host “######################################################” -ForegroundColor Red

#run the command
#powershell.exe -noprofile -ExecutionPolicy UnRestricted -EncodedCommand $encoded

$encodedcommand = “powershell.exe -noprofile -ExecutionPolicy UnRestricted -EncodedCommand $encoded”

#send the value to the clipboard!

Set-Clipboard -Value $encodedcommand

Summary

Creating local accounts is one of those actions that can be achieved via a range of methods. If you are like me you will forget the syntax so hopefully this will be useful to both myself and others in the future!

Leave a Reply

Your email address will not be published. Required fields are marked *