New or Renamed User Account with '$' Character

Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.

Sigma rule (View on GitHub)

 1title: New or Renamed User Account with '$' Character
 2id: cfeed607-6aa4-4bbd-9627-b637deb723c8
 3status: test
 4description: |
 5        Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
 6references:
 7    - https://twitter.com/SBousseaden/status/1387743867663958021
 8author: Ilyas Ochkov, oscd.community
 9date: 2019-10-25
10modified: 2024-01-16
11tags:
12    - attack.defense-evasion
13    - attack.t1036
14logsource:
15    product: windows
16    service: security
17detection:
18    selection_create:
19        EventID: 4720 # create user
20        SamAccountName|contains: '$'
21    selection_rename:
22        EventID: 4781 # rename user
23        NewTargetUserName|contains: '$'
24    filter_main_homegroup:
25        EventID: 4720
26        TargetUserName: 'HomeGroupUser$'
27    condition: 1 of selection_* and not 1 of filter_main_*
28falsepositives:
29    - Unknown
30level: medium

References

Related rules

to-top