Once you compromised a system, you probably would like to add or create user on the compromise system to be use as a persistent channel .

The syntax to add a user via  the net  command is pretty much straightforward:

net user /add randomuser randompassword

Running the above command will add the user and will be listed down via the net user command.

But there's a trick . Is it possible to hide our backdoor user from being visible via net view.  The answer is yes , and it's actively being abused by most malwares.

If you append the $ sign during the account creation like this

net user /add evilbob$ evilpassword

Evilbob will not be visible from net view!

But does the account exist? Yes definitely

This type of scenario can be detected via  Windows Security Log Event ID 4720.

Sidenote: This technique will only suppress the view from net user command, but the view  in control panel , it's plain sight.

Updates [30/4/2021]

It's possible to be invisible in the Control Panel by setting the User flags to UF_WORKSTATION_TRUST_ACCOUNT . Credit to Ben0xa [https://github.com/ben0xa/doucme]