Windows: Create and detect hidden user accounts

Windows[German]Today a short article about a security topic I recently came across by chance. It's about the possibility to create hidden but active user accounts under Windows via net user command. This ability is increasingly being exploited by malware to set up a possible backdoor in the system.


Advertising

I became aware of the issue, which is covered in more detail in this post, on Twitter the other day via the following tweet.

Create a hidden Windows user

In an administrative command prompt window it is possible to list the created users of a Windows machine with a net user command. This is demonstrated in the following screenshot. The command apparently lists everything, even the disabled accounts (here WDAGUtilityAccount, that do not show up in the user account management of the control panel).

Windows: hidden user account

But this is only half the truth, as will become clear in the other commands I used in the above example. With:


Advertising

net user /add name password

a new user account can be created using the net user command. If a $ sign is appended to the user account name, this creates a hidden user account. In the example above I used the command:

net user /add evilborn$ evilpassword

to create a user with the name evilborn$. However, this very user account does not show up in the listing of user accounts when the net user command is subsequently typed. But the account exists, because the command:

net user evilborn$

isplays the following output at the command prompt window.

Hidden Windows User Account

So if someone scans a system for compromised user accounts, he would not see exactly this user account via net user. On the other hand, if you go to the Control Panel and look at the list of user accounts, the hidden (but active) user account is displayed.

Windows User Accounts

However, no disabled accounts, such as the WDAGUtilityAccount entry mentioned above, are listed there. This is something to be aware of when inspecting a system for any user accounts that may exist. In the business environment, however, one will use Computer Management to inspect user accounts.

Windows User Accounts

The hidden user account is also displayed there. In the Windows Home variants the command:

control.exe userpasswords2

could be used. Then the list of active user accounts is also displayed, with the hidden user listed as well.


Advertising

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).