A simple program to create a Windows account you will only know about :)
- Create invisible local accounts without
net user
or Windows OS user management applications (e.g.netapi32::netuseradd
) - Works on all Windows NT Machines (Windows XP to 11, Windows Server 2003 to 2022)
- Impersonate any existing account after successful authentication through RID Hijacking (even if disabled)
Create an invisible machine account with administrative privileges, and without calling that annoying Windows Event Logger!
Released at Black Hat USA 2022: Suborner: A Windows Bribery for Invisible Persistence
- Blogpost: R4WSEC - Suborner: A Windows Bribery for Invisible Persistence
- Demo: YouTube - Suborner: Creation of Invisible Account on Windows 11
- Make sure you have .NET 4.0 and Visual Studio 2019
- Clone this repo:
git clone https://github.com/r4wd3r/Suborner/
- Open the .sln with Visual Studio
- Build x86, x64 or both versions
- Bribe Windows!
Download the latest release and pwn!
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
88
.d88888b. S U B O R N E R
d88P 88"88b
Y88b.88 The Invisible Account Forger
"Y88888b. by @r4wd3r
88"88b v1.0.1
Y88b 88.88P
"Y88888P" https://r4wsec.com
88
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Description:
A stealthy tool to create invisible accounts on Windows systems.
Parameters:
USERNAME: Username for the new suborner account. Default = <HOSTNAME>$
Syntax: /username:[string]
PASSWORD: Password for the new suborner account. Default = Password.1
Syntax: /password:[string]
RID: RID for the new suborner account. Default = Next RID available
Syntax: /rid:[decimal int]
RIDHIJACK: RID of the account to impersonate. Default = 500 (Administrator)
Syntax: /ridhijack:[decimal int]
TEMPLATE: RID of the account to use as template for the new account creation. Default = 500 (Administrator)
Syntax: /template:[decimal int]
MACHINEACCOUNT: Forge as machine account for extra stealthiness. Default = yes
Syntax: /machineaccount:[yes/no]
DEBUG: Enable debug mode for verbose logging. Default = disabled
Syntax: /debug
This attack would not have been possible without the great research done by:
- Benjamin Delpy (@gentilkiwi) and his outstanding Mimikatz
- The SecureAuth researchers behind Impacket
- Ben Ten @Ben0xA
- Infosec community!
Hack Suborn the planet!