Prevent hackers from intruding into the Windows system you are using
When hackers intrude into a host, they will try to protect their "labor results". Therefore, they will leave various backdoors on the zombie to control the zombie for a long time, the most commonly used is the account hiding technology. Create a hidden account on the zombie for use as needed. Account hiding technology is the most concealed backdoor. Generally, it is difficult for users to discover the existence of hidden accounts in the system. Therefore, it is harmful. In this article, we will reveal the secrets of common technologies such as hidden accounts.
Before hiding the system account, we need to first learn how to view the existing account in the system. In the system, you can go to the "command prompt", control panel "Computer Management", and "Registry" to view existing accounts, administrators only check for exceptions in "command prompt" and "Computer Management". Therefore, how to hide system accounts in these two fields is the focus of this article.
I. Conspiracy in "command prompt"
In fact, it is not very advanced to create a hidden account in the system. You can use the "command prompt" that we usually use to create a simple hidden account.
Click Start> Run, Enter CMD to run the command prompt, enter net user piao $123456/add, and press Enter, "Command completed successfully" is displayed ". Enter "net localgroup administrators piao $/add" and press Enter. Then, we can use the "command prompt" to create a username named "piao $ ", A simple "hidden account" with a password of "123456" and elevated the hidden account to administrator permissions.
Let's see if the hidden account is successfully created. In the "command prompt", enter the "net user" command to view the system account. Press enter to display the account that exists in the current system. From the returned results, we can see that the "piao $" account we just created does not exist. Next, let's go to "Administrative Tools" on the control panel, open "computer", View "local users and groups", and in the "user" field, the hidden account "piao $" we created is undoubtedly exposed.
It can be concluded that this method can only hide the account in the "command prompt", while "Computer Management" is powerless. Therefore, this method of hiding accounts is not very practical. It is only valid for careless administrators. It is an entry-level system account hiding technology.
2. Hide accounts in the Registry
From the above, we can see that the method of hiding an account from a command prompt has obvious disadvantages and is easy to expose itself. Is there any technology that can hide accounts at the same time in "command prompt" and "Computer Management? The answer is yes, and all this requires a small setup in the registry, so that the system account can completely evaporate in the two.
1. Return to the peak and give the Administrator the registry operation permission.
In the registry, modify the key value of the system account at "HKEY_LOCAL_MACHINE \ SAM, you cannot expand the key value. This is because the system gives the system administrator the "write d ac" and "read control" permissions by default, and does not grant the modification permission, therefore, we cannot view and modify the key values under "SAM. However, you can use another Registry Editor in the system to grant the Administrator the modification permission.
). Go to "HKEY_LOCAL_MACHINE \ SAM" in regedt32.exe, click "security" menu> "permission", and select the "administrators" account in the pop-up "SAM Permissions" edit window, select "full control" in the permission settings section below, and click "OK. Then we switch back to the Registry Editor, and we can see that the key values under "HKEY_LOCAL_MACHINE \ SAM" can be expanded.
2. Steal the bar and replace the hidden account with the administrator.
After obtaining the registry operation permission, we can start to hide the creation of the account. Go to "HKEY_LOCAL_MACHINE \ SAM \ Domains \ Account \ Users \ Names" in the Registry Editor. All existing accounts in the current system will be displayed here, including our hidden accounts. Click "piao $", and the "type" item in the key value displayed on the right is 0x3f0, go up to "HKEY_LOCAL_MACHINE \ SAM \ Domains \ Account \ Users \" and find the "000003f0" item, which corresponds to each other, all information about the hidden account "piao $" is included in "000003f0. Similarly, we can find that the corresponding item of the "administrator" account is "000001F4 ".
Export the key value of "piao $" to piao $. reg, and export the F key values of "000003f0" and "000001F4" to user. reg and admin. reg respectively. Use NotePad to open admin. reg, copy the content following the "F" value, replace the "F" value in user. reg, and save it. Next, go to the "command prompt" and enter "net user piao $/del" to delete the hidden account we created. Finally, import piao $. reg and user. reg to the Registry. At this point, the Account creation is completed.
3. crossing the river to split the bridge and cut off the ways to delete hidden accounts
Although our hidden accounts have been hidden in "command prompt" and "Computer Management", experienced system administrators may still use the Registry Editor to delete our hidden accounts, so how can we make our hidden accounts rock solid?
Open “regedt32.exe and go to "HKEY_LOCAL_MACHINE \ SAM". Set the permissions of "SAM" and cancel all permissions of "administrators. When the real administrator wants to perform operations on the items under "HKEY_LOCAL_MACHINE \ SAM \ sam”", an error may occur and the administrator cannot access regedt32.exe again. This way, even if an inexperienced administrator finds a hidden account in the system, the Administrator is helpless.
Iii. Dedicated tools to hide your account in one step
Although the above method can be used to hide accounts, operations are troublesome and not suitable for new users. The risk of registry operations is too high, which can easily cause system crash. Therefore, we can use a dedicated account hiding tool to hide an account, so that it is no longer difficult to hide an account. You only need one command to do this.
We need to use this tool named "HideAdmin", download it and decompress it to drive C. Run "command prompt" and enter "HideAdmin piao $123456". If "Create a hiden Administrator piao $ Successed!" is displayed !", This indicates that a hidden account named piao $ with a password of 123456 has been successfully created. Using this tool, the account hiding effect is the same as modifying the registry in the previous article.
4. Apply "hidden account" to the System
The danger of hiding an account is enormous. Therefore, it is necessary for us to understand the account hiding technology and then to understand the corresponding defense technology, so that we can thoroughly ask the hidden account out of the system.
1. Add a "$" symbol to hide an account
It is relatively simple to detect such hidden accounts. After using this method to create a hidden account, hackers generally escalate the hidden account to administrator privileges. Then, you only need to enter "net localgroup administrators" in the "command prompt" to make all the hidden accounts visible. If it is too troublesome, open "Computer Management" to view it. The account with the "$" symbol added cannot be hidden here.
2. Modify the Registry-type hidden account
Because the account hidden in this way is not seen in "command prompt" and "Computer Management", you can delete the hidden account in the registry. Go to "HKEY_LOCAL_MACHINE \ SAM \ Domains \ Account \ Users \ Names" and compare the existing accounts with those in "Computer Management, an extra account is used to hide the account. It is also easy to delete it. Simply delete an item named after an account to hide it.
3. A hidden account with a name cannot be seen
If a hacker creates a hidden account that modifies the registry, the Administrator's permission to operate the registry is deleted. The Administrator cannot delete the hidden account through the registry, or even cannot know the name of the hidden account created by the hacker. However, there is no such thing as this. We can use the help of "group policy" to prevent hackers from logging in through hidden accounts. Click Start> Run and enter gpedit. msc "runs" Group Policy ", expands" Computer Configuration ">" Windows Settings ">" Security Settings ">" Local Policies ">" audit policies ", double-click "review policy change" on the right side, select "successful" in the pop-up setting window, and click "OK ". Perform the same settings for "Audit Login Events" and "Audit Process Tracking.
4. Enable the login event review function
After the login review, you can record login operations for any account, including hidden accounts. In this way, you can use the "Event Viewer" in "Computer Management" to accurately learn the name of the hidden account, the time when hackers even log on. Even if a hacker deletes all login logs, the system will record which account has deleted the system logs, so that the hacker's hidden accounts will be exposed.
5. Find the hidden account in the Event Viewer
It is easy to understand the name of the hidden account, but we still cannot delete this hidden account because we do not have the permission. However, you can enter "net user hide account name 654321" in the "command prompt" to change the password of this hidden account. In this way, the hidden account becomes invalid and hackers cannot log on to the hidden account.