The Unwanted Guest
ATT&CK techniques detected
T1078.003Local Accounts
86%
", as illustrated in figure 2. figure 2 : windows 11 local users huntress analysts have seen a number of incidents since the beginning of 2025 where the threat actor enabled the guest account through the use of a command line such as the following : net user guest / active : yes o…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.003Local Accounts
62%
"##unt, and then hid the new user ’ s profile folder from view using the attrib. exe native windows utility. in addition to using net. exe to enable the guest account and make other modifications, threat actors have also been observed using other native utilities or “ living off t…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.003Local Accounts
61%
"the unwanted guest most everyone who ’ s been involved in incident response or read publicly available incident write - ups is aware that threat actors will often compromise user accounts through brute force attacks or some other method, or even create new user accounts on compro…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Threat actors are enabling the built-in Windows Guest account to maintain persistence. Learn how they gain access and how to detect this activity.