Once you compromised a system, you probably would like to add or create user on the compromise system to be use as a persistent channel .
The syntax to add a user via the net command is pretty much straightforward:
net user /add randomuser randompassword
Running the above command will add the user and will be listed down via the net user command.
But there's a trick . Is it possible to hide our backdoor user from being visible via net view. The answer is yes , and it's actively being abused by most malwares.
If you append the $ sign during the account creation like this
net user /add evilbob$ evilpassword
Evilbob will not be visible from net view!
But does the account exist? Yes definitely
This type of scenario can be detected via Windows Security Log Event ID 4720.
Sidenote: This technique will only suppress the view from net user command, but the view in control panel , it's plain sight.
It's possible to be invisible in the Control Panel by setting the User flags to UF_WORKSTATION_TRUST_ACCOUNT . Credit to Ben0xa [https://github.com/ben0xa/doucme]