New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
Sigma rule (View on GitHub)
1title: New or Renamed User Account with '$' Character
2id: cfeed607-6aa4-4bbd-9627-b637deb723c8
3status: test
4description: |
5 Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
6references:
7 - https://twitter.com/SBousseaden/status/1387743867663958021
8author: Ilyas Ochkov, oscd.community
9date: 2019-10-25
10modified: 2024-01-16
11tags:
12 - attack.defense-evasion
13 - attack.t1036
14logsource:
15 product: windows
16 service: security
17detection:
18 selection_create:
19 EventID: 4720 # create user
20 SamAccountName|contains: '$'
21 selection_rename:
22 EventID: 4781 # rename user
23 NewTargetUserName|contains: '$'
24 filter_main_homegroup:
25 EventID: 4720
26 TargetUserName: 'HomeGroupUser$'
27 condition: 1 of selection_* and not 1 of filter_main_*
28falsepositives:
29 - Unknown
30level: medium
References
Related rules
- CodePage Modification Via MODE.COM To Russian Language
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File