Are you like me and always end up searching for easy stuff that you know but you just can’t remember the syntax all the time?
Well don’t worry I’ve got your back
Command line
net user secaudit P@55w0rd123! /ADD
net user secaudit /active:yes net localgroup administrators /add secaudit |
The commands above:
- Create a user account named “secaudit” with a password of “P@55w0rd123!”
- Ensure the account is marked as active
- Add the account to the local administrators group
Powershell
We can do the same via PowerShell (note that using password on the command line is not a great idea from an opsec perspective!)
$password = ConvertTo-SecureString “P@55w0rd123!” -AsPlainText -Force #really bad for opsec
New-LocalUser -Name SecurityAuditor -Password $password -FullName “Security Auditor Powershell Demo” Add-LocalGroupMember -Group Administrators -Member “SecurityAuditor” Enable-LocalUser -Name SecurityAuditor |
Powershell and ADSI
We can also create local accounts using the Windows NT provider via ADSI
$computer=[ADSI]”WinNT://$env:COMPUTERNAME”
$username = “hacker001” $user=$computer.Create(‘User’, $username) $user.SetPassword(“P@ssw0rd123!!”) $user.SetInfo() # . = localhost $group=[ADSI]”WinNT://./Users” $group.Add($user.Path) |
Encoded Commands
Ok so this is something if you are planning on doing security testing will want to know about, how do we encode commands and pass them? well sometimes we want a cool way of preparing a payload (set of code/commands) and then executing these in a way that can be sent in a URL string or other fashion.
So here is a quick script to concert the commands to base64 encoding and then copy them to the clipboard!
#Help me obfuscate or cram code into a space
$cleartext = “net user secaudit P@55w0rd123! /ADD;net user secaudit /active:yes;net localgroup administrators /add secaudit”
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cleartext)
$encoded =[Convert]::ToBase64String($bytes)
$encodedwrite-host “######################################################” -ForegroundColor Red
#run the command
#powershell.exe -noprofile -ExecutionPolicy UnRestricted -EncodedCommand $encoded$encodedcommand = “powershell.exe -noprofile -ExecutionPolicy UnRestricted -EncodedCommand $encoded”
#send the value to the clipboard!
Set-Clipboard -Value $encodedcommand
Summary
Creating local accounts is one of those actions that can be achieved via a range of methods. If you are like me you will forget the syntax so hopefully this will be useful to both myself and others in the future!