Suborner: The Invisible Account Forger

by do son · October 12, 2022

Suborner – A Windows Bribery for Invisible Persistence

A simple program to create a Windows account you will only know about 🙂

Create invisible local accounts without net user or Windows OS user management applications (e.g. netapi32::netuseradd)
Works on all Windows NT Machines (Windows XP to 11, Windows Server 2003 to 2022)
Impersonate any existing account after successful authentication through RID Hijacking (even if disabled)

Create an invisible machine account with administrative privileges, and without calling that annoying Windows Event Logger!

The current version of the program has the following schema:

Validate if the program is running in a high integrity context (specifically, as SYSTEM). This is needed because Suborner will forge the registry keys and values needed for the account and store them in the respective SAM key paths
Validate user arguments and current context to confirm that what user inputs makes sense. For now, Suborner will always look for the dollar sign $ appended to the username. If it is not there, it will append it automatically
The program will craft 2 keys: one inside Domains\Account\Users\Names and the other only one level above (Domains\Account\Users)
The first key will contain a binary value, taking as data type the RID of the new account
The second key will contain 2 values. F and V. These are copied from an existent account that the user specify via the /template argument
Crafting the F and V values is probably the most challenging thing I did with the software. There are not so many resources specifying their structure, but I ended up figuring out the things I needed thanks to the hard work of people way smarter than me (special thanks to Benjamin Delpy @gentilkiwi).
- The F value (fixed size) contains details about the account (including the ACB bits that will define its type, e.g., machine account) and the RID value that will be send by lsass.exe to the Kernel’s Security Reference Monitor (SRM) to craft the Primary Access Token. This is leveraged by the Suborner’s impersonation capabilites.
- The V value (variable size) contains various details about the account, including its username, description, some permissions, and the LM and NTLM hashes! This is why the size of V is variable: all these values can have different sizes.
- Suborner right now modifies the username and NTLM hash values stored in V. Then it will dynamically change the offsets and lengths accordingly to avoid inconsistencies when processed by the OS. For the encryption process, Suborner crafts the SAM hashes from the password’s NTLM with the SYSKEY, SAMKEY and RID. The program includes both old and new encryption modes (and automatically detects which one to use): The old RC4/MD5 encryption or the relatively new AES encryption.
Write the changes to disk to persist the access!