What's this?
A simple program to create a Windows account you will only know about :)
- Create invisible local accounts without
net user
or Windows OS user management applications (e.g.netapi32::netuseradd
) - Works on all Windows NT Machines (Windows XP to 11, Windows Server 2003 to 2022)
- Impersonate through RID Hijacking any existing account (enabled or disabled) after a successful authentication
Create an invisible machine account with administrative privileges, and without invoking that annoying Windows Event Logger to report its creation!
Where can I see more?
Released at Black Hat USA 2022: Suborner: A Windows Bribery for Invisible Persistence
- Blogpost: R4WSEC - Suborner: A Windows Bribery for Invisible Persistence
- Demo: YouTube - Suborner: Creation of Invisible Account on Windows 11
- Slides - HITB Singapore Main Track - Suborner Slides
How can I use this?
Build
- Make sure you have .NET 4.0 and Visual Studio 2019
- Clone this repo:
git clone https://github.com/r4wd3r/Suborner/
- Open the .sln with Visual Studio
- Build x86, x64 or both versions
- Bribe Windows!
Release
Download the latest release and pwn!
Usage
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
88
.d88888b. S U B O R N E R
d88P 88"88b
Y88b.88 The Invisible Account Forger
"Y88888b. by @r4wd3r
88"88b v1.0.1
Y88b 88.88P
"Y88888P" https://r4wsec.com
88
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Description:
A stealthy tool to create invisible accounts on Windows systems.
Parameters:
USERNAME: Username for the new suborner account. Default = <HOSTNAME>$
Syntax: /username:[string]
PASSWORD: Password for the new suborner account. Default = Password.1
Syntax: /password:[string]
RID: RID for the new suborner account. Default = Next RID available
Syntax: /rid:[decimal int]
RIDHIJACK: RID of the account to impersonate. Default = 500 (Administrator)
Syntax: /ridhijack:[decimal int]
TEMPLATE: RID of the account to use as template for the new account creation. Default = 500 (Administrator)
Syntax: /template:[decimal int]
MACHINEACCOUNT: Forge as machine account for extra stealthiness. Default = yes
Syntax: /machineaccount:[yes/no]
DEBUG: Enable debug mode for verbose logging. Default = disabled
Syntax: /debug
Thanks!
This attack would not have been possible without the great research done by:
- Benjamin Delpy (@gentilkiwi) and his outstanding Mimikatz
- The SecureAuth researchers behind Impacket
- Ben Ten @Ben0xA
- Infosec community!
Hack Suborn the planet!