Overview

Runs a net user command to add a new user to the system with the specified password. It then runs a net localgroup command to add the new user to the local Administrators group.

Additionally, it disables UAC for remote administration using local administrator accounts by setting the registry value HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.

A default password is randomly generated everytime you load up the script. This password will be recorded in the output so that you can look it up if you lose it.

Lastly, an uninstall script will be generated that will remove the user account and delete the registry key value listed above.

Parameters

• Username: The name of the user to create.
• Password: The password for the new user.

Dependencies

• None

Operating Systems

• Windows

Pre-Requisites:

• Administrator privileges.
• High Integrity process.
• The specified password must meet system requirements.

Example Output

{
  "Persistence": {
    "Password": "frickenlaserbeams",
    "Id": "83c034a110a74cffb33b4590b19b20f6",
    "Method": "Create Local Admin Account",
    "Trigger": "Authentication",
    "Profile": "System",
    "Username": "drevil",
    "Event": "Create",
    "Success": true,
    "UninstallScript": "net user \"drevil\" /DELETE | Out-Null;\r\n$output = (net user \"drevil\" 2>&1) -join ([System.Environment]::NewLine);\r\n$success = $output.Contains(\"The user name could not be found.\") -and !$output.Contains(\"syntax of this command\");\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"83c034a110a74cffb33b4590b19b20f6\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Create Local Admin Account\";\r\n\t    Profile = \"System\";\r\n\t    Trigger = \"Authentication\";\r\n\t}\r\n}"
  }
}