A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
Prevent hackers from hacking into the Windows system you are using
When hackers invade a host, will find ways to protect their "labor results", so will leave a variety of back door on the broiler to a long time to control the broiler, which is the most used is the account hiding technology. Create a hidden account on the broiler for use when needed. Account hiding technology is the most hidden back door, the general user is difficult to find hidden accounts in the system, so the harm is very large, this article on the hidden account of hackers commonly used techniques to uncover.
Before we hide the system account, we need to know how to view the accounts that already exist in the system. In the system, you can go to the command prompt, Control Panel Computer Management, registry to view the existing accounts, and administrators generally only check for exceptions in command prompt and Computer Management, so how to hide the system account in both of these will be the focus of this article.
One, "command Prompt" in the conspiracy
In fact, the production system hidden account is not very advanced technology, using our usual "command prompt" can be used to create a simple hidden account.
Click "Start" → "Run", enter "CMD" Run "Command Prompt", enter "NET user piao$ 123456/add", return, the success will show "Command completed successfully". Then enter the "net localgroup Administrators piao$/add" return, so that we can use the "command Prompt" to create a user named "piao$", password "123456" simple "hidden Account", and raise the hidden account for administrator privileges.
Let's see if the hidden account was built successfully. In the command prompt, enter the command "NET user" to view the system account, and the account that exists in the current system is displayed after the carriage return. From the results of the return we can see that the "piao$" account we have just established does not exist. Then let's go to the Admin tool in Control Panel, open the "computer" in it, see "Local Users and Groups" in it, the hidden account "piao$" that we established in "user" is exposed.
The conclusion is that this method can only hide the account in the command prompt, but there is nothing to do with Computer Management. So this hidden account method is not very practical, only for those who are careless administrators, is an entry-level system account concealment technology.
Second, in the "registry" to play the account hidden
From the above we can see that the method of hiding accounts with command prompt is very obvious, it is easy to expose yourself. Is there a technology to hide accounts at both the command prompt and Computer Management? The answer is yes, and all it takes is a little setup in the registry to completely evaporate the system account in both.
1, turn the table, to the Administrator registry operation Rights
The key value of the system account is operated on in the registry and needs to be modified at "Hkey_local_machine\sam\sam", but when we get there, we find that the key value cannot be expanded. This is because the system defaults to "write D AC" and "Read Control" permissions to the system administrator, and does not give permission to modify, so we have no way to view and modify the key values under the "SAM" key. However, we can use another registry Editor in the system to give administrators permission to modify.
Click "Start" → "Run", enter "Regedt32.exe" after the return, and then pop-up another "Registry Editor", and we usually use the "Registry Editor" is that it can modify the System account operation Registry permissions (for easy understanding, Hereinafter referred to as Regedt32.exe). In Regedt32.exe to "Hkey_local_machine\sam\sam", click on the "Security" menu → "permission" in the pop-up "SAM's Permissions" edit window Select the "Administrators" account, in the lower permission settings to check " Full Control, click "OK" when you are done. Then we switch back to Registry Editor and we can see that the key values under "Hkey_local_machine\sam\sam" can be expanded.
2, cynical, replace the hidden account with the administrator
After successfully getting the registry operation Rights, we can formally start to hide the production of the account. To the "Hkey_local_machine\sam\sam\domains\account\users\names" Registry Editor, all existing accounts in the current system will be shown here, including our hidden accounts, of course. Click on our hidden account "piao$", the "type" in the key value displayed on the right shows as 0x3f0, up to "hkey_local_machine\sam\sam\domains\account\users\", you can find " 000003f0 "This item, the two are reciprocal, the hidden account" piao$ "all the information in the" 000003f0 "this item. Similarly, we can find the "administrator" account corresponding to the item "000001F4".
Exports the key value of "piao$" to piao$.reg and exports the F-key values of the "000003f0" and "000001f4" items to User.reg,admin.reg, respectively. Open Admin.reg with Notepad, copy the contents of the "F" value, and replace the contents of the "F" value in User.reg, and save it when finished. Next you go to the command prompt and enter "NET user piao$/del" to remove the hidden account that we created. Finally, the Piao$.reg and User.reg are imported into the registry, so that the hidden account is produced.
3, ladder, cut off the way to remove hidden accounts
Although our hidden accounts have been hidden in command prompt and Computer Management, but experienced system administrators may still be able to delete our hidden accounts through Registry Editor, how can we keep our hidden accounts rock solid?
Open "Regedt32.exe", Go to "Hkey_local_machine\sam\sam", set the "SAM" Item permissions, the "Administrators" has the right to cancel all. An error occurs when a real administrator wants to operate on an item under "Hkey_local_machine\sam\sam" and cannot be given permission again through "Regedt32.exe". Such an inexperienced administrator would have no alternative but to discover hidden accounts in the system.
three. Special tools to hide the account one-step
Although the above method can be very good to hide the account, but the operation appears to be more cumbersome, not suitable for beginners, and the registry is too risky to operate, it is easy to cause system crashes. So we can use a special account to hide the tool to hide the work, so that the hidden account is no longer difficult, only need one command can be done. &NBSP
We need to use this tool called "Hideadmin", download down to extract to C disk. Then run "Command Prompt" and enter "hideadmin piao$ 123456", if "create a hiden administrator piao$" is displayed successed! "means that we have successfully established a hidden account named piao$ with a password of 123456. The hidden effect of the account created with this tool is the same as the effect of modifying the registry in the previous section. &NBSP
Four, put the "hidden account" out of the system
Hidden accounts are a huge threat. Therefore, it is necessary for us to understand the account hiding technology, and then to the corresponding preventive technology to make an understanding of the hidden account completely out of the system
1, add "$" symbolic hidden account
for this kind of hidden account detection is relatively simple. General hackers in this way to create a hidden account, the hidden account will be elevated to administrator rights. Then we just need to enter "Net localgroup administrators" in the command prompt to make all the hidden accounts visible. If trouble, you can directly open "Computer Management" to view, add "$" sign account is not hidden here. &NBSP
2, modify the registry hidden account
Because accounts that are hidden by using this method are not seen in command prompt and Computer Management, you can delete hidden accounts in the registry. Come to the "hkey_local_machine\sam\sam\domains\account\users\names", the existing account and "Computer Management" in the account of the comparison, the more out of the account is hidden account. It is also easy to delete it by simply deleting the item named by the account. &NBSP
3, the hidden account of the name cannot be seen
If the hacker has made a modified registry-type hidden account, the administrator's permission to operate the registry has been removed on this basis. The administrator is unable to delete the hidden account through the registry, or even know the hidden account name created by the hacker. But the world is not absolutely, we can use the "Group Policy" help, so that hackers can not login through the hidden account. Click "Start" → "Run", enter "Gpedit.msc" to run Group Policy, expand Computer Configuration → "Windows settings" → "Security Settings" → "Local Policy" → "Audit Policy", double-click "Audit policy change" on the right, and check "success" in the pop-up Settings window. then click OK. Make the same settings for audit logon events and audit process tracking.
4, open the Landing event audit function
After the landing audit, you can record any account login, including hidden accounts, so that we can through the "Computer Management" in the "Event Viewer" accurately know the name of the hidden account, or even the time of the hacker landing. Even if hackers delete all log logs, the system will also record which account deleted the system log, so that the hacker's hidden account will be exposed.
5. Find hidden accounts through Event Viewer
It would be nice to know the name of the hidden account, but we still can't delete the hidden account because we don't have permission. However, we can change the password for this hidden account by entering "net user hidden account name 654321" at the command prompt. This hidden account will be invalidated and the hacker can no longer log in with the hidden account.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service