Hiding User Account Via SpecialAccounts Registry Key

calendar Aug 29, 2024 · attack.defense-evasion attack.t1564.002  ·
Share on: linkedin copy

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Sigma rule (View on GitHub)

 1title: Hiding User Account Via SpecialAccounts Registry Key
 2id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
 3related:
 4    - id: 8a58209c-7ae6-4027-afb0-307a78e4589a
 5      type: obsolete
 6    - id: 9ec9fb1b-e059-4489-9642-f270c207923d
 7      type: similar
 8status: test
 9description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
10references:
11    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
12    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md
13author: Nasreddine Bencherchali (Nextron Systems), frack113
14date: 2022-07-12
15modified: 2023-01-26
16tags:
17    - attack.defense-evasion
18    - attack.t1564.002
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection:
24        EventType: 'SetValue'
25        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
26        Details: 'DWORD (0x00000000)'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top