LetsDefend Academy

Online practicing and training platform for blue team members


During a cyber incident, the attacker can create a new user on the system to hiding or to have higher privilege.

You can check of a suspicious user by listing existing users during incident response.

Check via CMD:

“net user”

check via “lusrmgr”

As you can see there is a user named "test". The following command can be used to get more details about this user.

“net user {username}”

With “Event ID 4720 - A user account was created”, you can follow the user creation from the event logs.