Are you like me and always end up searching for easy stuff that you know but you just can’t remember the syntax all the time?

Well don’t worry I’ve got your back

Command line

net user secaudit P@55w0rd123! /ADD net user secaudit /active:yes net localgroup administrators /add secaudit

The commands above:

• Create a user account named “secaudit” with a password of “P@55w0rd123!”
• Ensure the account is marked as active
• Add the account to the local administrators group

Powershell

We can do the same via PowerShell (note that using password on the command line is not a great idea from an opsec perspective!)

$password = ConvertTo-SecureString “P@55w0rd123!” -AsPlainText -Force #really bad for opsec New-LocalUser -Name SecurityAuditor -Password $password -FullName “Security Auditor Powershell Demo” Add-LocalGroupMember -Group Administrators -Member “SecurityAuditor” Enable-LocalUser -Name SecurityAuditor

Powershell and ADSI

We can also create local accounts using the Windows NT provider via ADSI

$computer=[ADSI]”WinNT://$env:COMPUTERNAME” $username = “hacker001” $user=$computer.Create(‘User’, $username) $user.SetPassword(“P@ssw0rd123!!”) $user.SetInfo() # . = localhost $group=[ADSI]”WinNT://./Users” $group.Add($user.Path)

Encoded Commands

Ok so this is something if you are planning on doing security testing will want to know about, how do we encode commands and pass them? well sometimes we want a cool way of preparing a payload (set of code/commands) and then executing these in a way that can be sent in a URL string or other fashion.

So here is a quick script to concert the commands to base64 encoding and then copy them to the clipboard!

#Help me obfuscate or cram code into a space

$cleartext = “net user secaudit P@55w0rd123! /ADD;net user secaudit /active:yes;net localgroup administrators /add secaudit”
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cleartext)
$encoded =[Convert]::ToBase64String($bytes)
$encoded

write-host “######################################################” -ForegroundColor Red

#run the command
#powershell.exe -noprofile -ExecutionPolicy UnRestricted -EncodedCommand $encoded

$encodedcommand = “powershell.exe -noprofile -ExecutionPolicy UnRestricted -EncodedCommand $encoded”

#send the value to the clipboard!

Set-Clipboard -Value $encodedcommand

Summary

Creating local accounts is one of those actions that can be achieved via a range of methods. If you are like me you will forget the syntax so hopefully this will be useful to both myself and others in the future!