Hiding User Account Via SpecialAccounts Registry Key
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
Sigma rule (View on GitHub)
1title: Hiding User Account Via SpecialAccounts Registry Key
2id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
3related:
4 - id: 8a58209c-7ae6-4027-afb0-307a78e4589a
5 type: obsoletes
6status: test
7description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
8references:
9 - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
10 - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md
11author: Nasreddine Bencherchali (Nextron Systems), frack113
12date: 2022/07/12
13modified: 2023/01/26
14tags:
15 - attack.defense_evasion
16 - attack.t1564.002
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection:
22 EventType: 'SetValue'
23 TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
24 Details: 'DWORD (0x00000000)'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Hidden User Creation
- Application Whitelisting Bypass via Dxcap.exe
- Base64 Encoded PowerShell Command Detected
- Flash Player Update from Suspicious Location
- NetNTLM Downgrade Attack