{"id":19836,"date":"2021-05-11T00:12:00","date_gmt":"2021-05-10T22:12:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=19836"},"modified":"2022-09-04T22:12:56","modified_gmt":"2022-09-04T20:12:56","slug":"windows-versteckte-benutzerkonten-anlegen-und-aufspren","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/05\/11\/windows-versteckte-benutzerkonten-anlegen-und-aufspren\/","title":{"rendered":"Windows: Create and detect hidden user accounts"},"content":{"rendered":"

\"Windows\"[German<\/a>]Today a short article about a security topic I recently came across by chance. It's about the possibility to create hidden but active user accounts under Windows via net user command. This ability is increasingly being exploited by malware to set up a possible backdoor in the system.<\/p>\n

<\/p>\n

\"\"I became aware of the issue, which is covered in more detail in this post<\/a>, on Twitter the other day via the following tweet<\/a>.<\/p>\n

<\/p>\n

In an administrative command prompt window it is possible to list the created users of a Windows machine with a net user <\/em>command. This is demonstrated in the following screenshot. The command apparently lists everything, even the disabled accounts (here WDAGUtilityAccount,<\/em> that do not show up in the user account management of the control panel).<\/p>\n

<\/p>\n

But this is only half the truth, as will become clear in the other commands I used in the above example. With:<\/p>\n

net user \/add name password<\/p>\n

a new user account can be created using the net user c<\/em>ommand. If a $ sign is appended to the user account name, this creates a hidden user account. In the example above I used the command:<\/p>\n

net user \/add evilborn$ evilpassword<\/p>\n

to create a user with the name evilborn$<\/em>. However, this very user account does not show up in the listing of user accounts when the net user<\/em> command is subsequently typed. But the account exists, because the command:<\/p>\n

net user evilborn$<\/p>\n

isplays the following output at the command prompt window.<\/p>\n

\"Hidden<\/p>\n

So if someone scans a system for compromised user accounts, he would not see exactly this user account via net user<\/em>. On the other hand, if you go to the Control Panel and look at the list of user accounts, the hidden (but active) user account is displayed.<\/p>\n

\"Windows<\/p>\n

However, no disabled accounts, such as the WDAGUtilityAccount <\/em>entry mentioned above, are listed there. This is something to be aware of when inspecting a system for any user accounts that may exist. In the business environment, however, one will use Computer Management to inspect user accounts.<\/p>\n

\"Windows<\/p>\n

The hidden user account is also displayed there. In the Windows Home variants the command:<\/p>\n

control.exe userpasswords2<\/em><\/p>\n

could be used. Then the list of active user accounts is also displayed, with the hidden user listed as well.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Today a short article about a security topic I recently came across by chance. It's about the possibility to create hidden but active user accounts under Windows via net user command. This ability is increasingly being exploited by malware to … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-19836","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/19836","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=19836"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/19836\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=19836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=19836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=19836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}