Local user accounts should be closely monitored. Each CVE in this advisory leverages user accounts - post-compromise - to springboard into other techniques. In CVE-2023-42475, a disabled user is resurrected and in CVE-2022-47966, a new local user is created. Endpoint defenses should be on the lookout for any suspicious creation or re-enabling of local user accounts. Preventing these actions will block any subsequent malicious activities before they get too far.