Creation of a Local Hidden User Account by Registry

calendar Aug 12, 2024 · attack.persistence attack.t1136.001  ·
Share on: linkedin copy

Sysmon registry detection of a local hidden user account.

Sigma rule (View on GitHub)

 1title: Creation of a Local Hidden User Account by Registry
 2id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
 3status: test
 4description: Sysmon registry detection of a local hidden user account.
 5references:
 6    - https://twitter.com/SBousseaden/status/1387530414185664538
 7author: Christian Burkard (Nextron Systems)
 8date: 2021-05-03
 9modified: 2022-08-05
10tags:
11    - attack.persistence
12    - attack.t1136.001
13logsource:
14    product: windows
15    category: registry_event
16detection:
17    selection:
18        TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
19        TargetObject|endswith: '$'
20        Image|endswith: '\lsass.exe'
21    condition: selection
22falsepositives:
23    - Unknown
24level: high

References

Related rules

to-top