Rouge Local Accounts

  1. Manual Creation:

    • Control Panel: Using 'User Accounts' in the Control Panel.

    • Computer Management: Under 'Local Users and Groups', new users can be added, groups can be managed, and user properties can be edited.

  2. Command Line:

    • net user Command: For creating users and setting properties.

      • Example: net user [username] [password] /add to create a new user.

  3. PowerShell:

    • New-LocalUser Cmdlet: Creates a new local user account.

      • Example: New-LocalUser -Name "username" -Password (ConvertTo-SecureString "password" -AsPlainText -Force) -FullName "User Name" -Description "Description"

  4. Group Policy:

    • For domain environments, group policies can be used to manage user accounts across multiple systems.

Querying User Accounts on a Host

  1. Command Line Tools:

    • net user

      • Lists all user accounts on a local machine or domain controller.

    • wmic useraccount

      • Provides detailed information about user accounts.

  2. PowerShell:

    • Get-LocalUser

      • Retrieves local user accounts.

    • Custom Scripts: Can be written to query specific account properties or filter results.

  3. Windows Management Instrumentation (WMI):

    • Allows querying of user accounts and their properties through WMI queries.

Expanded Technical Explanations

  1. System Logs Analysis:

    • Event IDs: Look for Event IDs 4720 (account creation), 4722 (account enabled), and 4732 (added to group).

    • Log Source: Primarily found in Security logs of Windows Event Viewer.

  2. Identifying Unauthorized Accounts:

    • Account Properties: Analyze properties like creation date, last login date, group memberships, and whether the account is active or disabled.

    • Baseline Comparison: Compare current user accounts against a known good baseline of authorized accounts.

Advanced Considerations

  • Least Privilege Principle: Regularly review and enforce least privilege access policies to minimize the impact of rogue accounts.

  • Anomalous Behavior Detection: Implement systems to detect anomalous behaviors such as unusual login times or excessive privilege escalations.

  • Incident Response Drills: Regularly conduct drills to ensure readiness for incidents involving rogue accounts.

PowerShell Query

#PowerShell command to list all local users with their last login time
Get-LocalUser | Select-Object Name,Enabled,LastLogon | Format-Table -AutoSize
PreviousSSHNextCrowdStrike Searches

Last updated

Was this helpful?