This script was dropped and run in the honeypot recently. Here are a couple takeaways and a screenshot of the script.
- @iranofficall / User Creator
- Adds 4 users
- Sets passwords to $95But6nL03
- Sets passwords to never expire
- Enables RDP
- Hides accounts from sign-in screen
Possible Detections
- Command arguments contains /maxpwage:unlimited
- Process net.exe + command arguments user /add + $95But6nL03
- Command arguments contains Winlogon\SpecialAccounts\UserList