During post exploitation of a Windows 11 enterprise laptop, a penetration tester has obtained SYSTEM privileges. To keep a covert foothold that looks like any other normal employee login while still granting administrative rights, the tester decides to create a persistent local account. Which action would BEST achieve this goal?
Use the net user command or lusrmgr.msc to create a new local account named like existing employees, then add it to the Administrators group
Re-enable the built-in Administrator account and elevate it through local security policy
Copy the SAM file from another workstation over the existing SAM to inherit its users and passwords
Store a username and password inside the configuration of a third-party service and reference it through an obscure registry key
Creating a local user account with a plausible username through built-in utilities such as net.exe, lusrmgr.msc, or PowerShell satisfies the MITRE ATT&CK Create Account (T1136.001) persistence technique. Because the account's SID and naming convention resemble ordinary users, it is far less conspicuous than manipulating the SAM, hiding credentials in application configurations, or reactivating the well-known RID-500 Administrator account-all of which are likely to trigger monitoring or stand out during audits.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to name the new account in line with existing users?
Open an interactive chat with Bash
How do you assign higher privileges to a new account in Windows?
Open an interactive chat with Bash
What risks are associated with reactivating a built-in default profile?