Persistence · Term

What is a rogue account?

A rogue account is an extra user the attacker creates or an existing account they take over, giving them a normal-looking login that survives a single password reset. Here is how this persistence works.

Persistence · TermAll services
TL;DR

A rogue account is persistence by creating a new user the attacker controls, or hijacking an existing one, then giving it the privileges they need (often local admin or Domain Admin). Because it is a valid account, the attacker logs in normally and blends in, and it survives the cleanup of other footholds. Variants include adding a hidden local admin, a new domain account, or quietly adding an account to a privileged group. It maps to MITRE T1136 (create account) and T1098 (account manipulation).

By John Dill, Red Team Lead, SecureLayer7Updated

What it is

Most persistence hides code; a rogue account hides in plain sight as a legitimate login. The attacker either creates a new account or takes over and re-enables an existing/dormant one, then ensures it has the privileges they want.

Because authentication then succeeds normally, the access looks like ordinary user activity, and it is independent of the compromised machine, the attacker can log in from elsewhere, anytime.

The technique and payload

With sufficient privilege, the attacker provisions an account:

  • Local admin (Windows): net user svc_backup P@ss /add then net localgroup administrators svc_backup /add.
  • Domain account: create a user and add it to a privileged group, or re-enable a dormant admin.
  • Linux: useradd -ou 0 -g 0 backup (a second UID-0 account) or add a user to sudo/wheel.
  • Quieter still: just add an existing account to a privileged group rather than creating one.

The attacker then logs in as a normal user. Documented for defensive context.

How to defend

  • Alert on account creation and privileged-group changes (Windows events 4720/4728/4732; Linux useradd/sudoers changes).
  • Review local and domain accounts and privileged-group membership regularly; remove unknown or dormant ones.
  • Watch for UID-0 duplicates and unexpected sudo/wheel/administrators members.
  • Use MFA and conditional access so a rogue password alone is not enough to log in.
  • During incident response, audit all accounts, not just the one known to be compromised.

References

  1. [1]MITRE ATT&CK: Account Manipulation (T1098)(MITRE)
  2. [2]Microsoft: Windows account management(Microsoft)
  3. [3]MITRE ATT&CK: Persistence (TA0003)(MITRE)
Related terms

Common questions

Persistence, asked often

Want your environment checked for attacker persistence?

Scope an engagement

Find the backdoors an attacker would leave behind.

Our red-team and internal penetration tests show where an intruder could hide to survive a reboot or a password reset, registry keys, scheduled tasks, services, web shells, and rogue accounts, then hand your team the evidence and the fix. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.