Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
Sigma rule (View on GitHub)
1title: Creation of a Local Hidden User Account by Registry
2id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
3status: test
4description: Sysmon registry detection of a local hidden user account.
5references:
6 - https://twitter.com/SBousseaden/status/1387530414185664538
7author: Christian Burkard (Nextron Systems)
8date: 2021-05-03
9modified: 2025-10-31
10tags:
11 - attack.persistence
12 - attack.t1136.001
13logsource:
14 product: windows
15 category: registry_event
16detection:
17 selection:
18 TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
19 TargetObject|endswith: '$\(Default)'
20 Image|endswith: '\lsass.exe'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
25regression_tests_path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml
26simulation:
27 - type: atomic-red-team
28 name: Create Hidden User in Registry
29 technique: T1564.002
30 atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Cisco Local Accounts
- FortiGate - New Administrator Account Created
- FortiGate - New Local User Created
- Privileged User Has Been Created
- User Added to Remote Desktop Users Group