# Rouge Local Accounts

1. **Manual Creation:**
   * **Control Panel:** Using 'User Accounts' in the Control Panel.
   * **Computer Management:** Under 'Local Users and Groups', new users can be added, groups can be managed, and user properties can be edited.
2. **Command Line:**
   * **`net user` Command:** For creating users and setting properties.
     * Example: `net user [username] [password] /add` to create a new user.
3. **PowerShell:**
   * **`New-LocalUser` Cmdlet:** Creates a new local user account.
     * Example: `New-LocalUser -Name "username" -Password (ConvertTo-SecureString "password" -AsPlainText -Force) -FullName "User Name" -Description "Description"`
4. **Group Policy:**
   * For domain environments, group policies can be used to manage user accounts across multiple systems.

**Querying User Accounts on a Host**

1. **Command Line Tools:**
   * **`net user`**&#x20;
     * Lists all user accounts on a local machine or domain controller.
   * **`wmic useraccount`**&#x20;
     * Provides detailed information about user accounts.
2. **PowerShell:**
   * **`Get-LocalUser`**&#x20;
     * Retrieves local user accounts.
   * **Custom Scripts:** Can be written to query specific account properties or filter results.
3. **Windows Management Instrumentation (WMI):**
   * Allows querying of user accounts and their properties through WMI queries.

**Expanded Technical Explanations**

1. **System Logs Analysis:**
   * **Event IDs:** Look for Event IDs 4720 (account creation), 4722 (account enabled), and 4732 (added to group).
   * **Log Source:** Primarily found in Security logs of Windows Event Viewer.
2. **Identifying Unauthorized Accounts:**
   * **Account Properties:** Analyze properties like creation date, last login date, group memberships, and whether the account is active or disabled.
   * **Baseline Comparison:** Compare current user accounts against a known good baseline of authorized accounts.

**Advanced Considerations**

* **Least Privilege Principle:** Regularly review and enforce least privilege access policies to minimize the impact of rogue accounts.
* **Anomalous Behavior Detection:** Implement systems to detect anomalous behaviors such as unusual login times or excessive privilege escalations.
* **Incident Response Drills:** Regularly conduct drills to ensure readiness for incidents involving rogue accounts.

**PowerShell Query**

```powershell
#PowerShell command to list all local users with their last login time
Get-LocalUser | Select-Object Name,Enabled,LastLogon | Format-Table -AutoSize
```