Need help with powershell script

Greeting Experts,

I am currently in need of a script that can create a generic account using the following windows cli “runas” command “runas /user:ComputerName\UserName   /netonly cme.exe” and then enter a password for each of those accounts (5).
Username        Passwords
User1            Pass1
User2            Pass2
User3            Pass3
User4            Pass4
User5            Pass5

mimikatz.exe.jpg

What I am trying to do is create 5 different dummy accounts using the /netonly switch on “runas” command. The idea is when someone attempts to use software like mimikatz.exe to get the username and passwords from windows memory they will get both the dummy accounts and real accounts from the Hash dump. Thus, when they log in to Domain server it will fail and then flag unsuccessful login and set off the alarms someone is trying to hack a server… Link (https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311)


What I need is a power-shell.ps1 script that can create list of 5 static accounts with 5 static passwords and enter them in as it shows in the manual process showing in screenshot above so it can add theses dummy accounts into memory.  Can anyone out there help me with this script


Mimikatz Output  

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>\\10.20.0.92\mimikatz\mimikatz_trunk\x64\mimikatz.exe

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Oct 10 2014 01:53:31)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'    Microsoft BlueHat edition!       with 14 modules * * */


mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords


Authentication Id : 0 ; 7541198 (00000000:007311ce)
Session           : NewCredentials from 0
User Name         : Administrator
Domain            : UserName1
SID               : S-1-5-21-3918858253-3008037163-3650124778-500
        msv :
         [00000003] Primary
         * Username : Miketest1
         * Domain   : 10.20.2.234
         * NTLM     : 0e3ef92e9a91cf5a5dc8cf8e0cdd18a4
         * SHA1     : daafe74ba73051620bbbee64734018f94c4ed26d
        tspkg :
        wdigest :
         * Username : UserName2
         * Domain   : 10.20.2.234
         * Password : KIssMyAss1905!
        kerberos :
         * Username : UserName3
         * Domain   : 10.20.2.234
         * Password : KIssMyAss1905!
        ssp :
        credman :
MikeSecurityAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeSecurityAuthor Commented:
Does anyone have basic script I can use for this application...?
David Johnson, CD, MVPOwnerCommented:
what is the script you have developed

btw, mimitatz has to be run as an administrator to return anything.. as a standard user
mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
McKnifeCommented:
Mimikatz cannot be run by "someone" but only by local admins.
Please describe your scenario:
->who do you suspect to run mimikatz?
->would that suspect have local admin status already?
->what type of accounts are you trying to protect?
->are your users sharing these computers?

I ask all this because I don't see the danger, but maybe you can convince me.
Normally, a typical I-fear-mimikatz scenario is: users are local admins and call a support guy to fix some problem on their computer. After the supporter is logged off, they capture his password and hope that he used a domain admin.

If your fears are somewhat like that, please read my article on safe support account usage: http://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

MikeSecurityAuthor Commented:
thanks for your response McKnife,  Let me clarify what I am wanting to do...... First I just use mimikatz to just dump the username and passwords as only a test function....  The scenario or thinking is create dummy accounts (i.e. dummy Acct1, dummy Acct2, dummy Acct3, etc)  along with real accounts ( i.e. Administrator, user1, user2, user3). So if there is a successful breach and intruder is able to get a memory dump from a server by attempting to elevate privileges. There would be a Active Directory rule saying if there is attempted log on (i.e unsuccessfully logging on) from Dummy Acct1, Dummy Acct2, or Dummy Acct3.  That wold set off alarms that there is a possible breach in progress..... " Think of it as a honey pot with the only difference here is a Hash honey pot......  if you use "runas /user:ComputerName\AccountName  /netonly cmd.exe" will create dummy Account in to memory with username & password that is not valid at all.... It just sits in memory... so when you do a hash dump with mimikatz you get the dummy accounts with the real accounts.... its a way to counter act the use of mimikatz being used on your network aslo with a high percentage chance of them using e false accounts that would set off alarm that it has been used....... does this make sense to you
McKnifeCommented:
I understand.
Please read http://www.std0ut.com/2015/02/detecting-honey-hashes-and-bit-of-post.html for a clue howto. Maybe it will also change your mind.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MikeSecurityAuthor Commented:
Interesting post.... thanks for the link...... will need to do some Internal meeting with individuals who are on the latest and greatest techniques bandwagon ... I a do a prof of concept (POC) for my bosses and maybe for go this process....... again thank you... Will get back with you tomorrow on the results.... :)
MikeSecurityAuthor Commented:
I can for go the process creating a script after doing prof of concept from the post you sent me..... thanks....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.