attack.t1564.002 | Detection.FYI

Potential Suspicious Activity Using SeCEdit
Mar 5, 2023 · attack.discovery attack.persistence attack.defense_evasion attack.credential_access attack.privilege_escalation attack.t1562.002 attack.t1547.001 attack.t1505.005 attack.t1556.002 attack.t1562 attack.t1574.007 attack.t1564.002 attack.t1546.008 attack.t1546.007 attack.t1547.014 attack.t1547.010 attack.t1547.002 attack.t1557 attack.t1082 ·
Share on:
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Read More
Hiding User Account Via SpecialAccounts Registry Key
Feb 1, 2023 · attack.defense_evasion attack.t1564.002 ·
Share on:
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Read More
Hiding local user accounts
Jan 8, 2023 · attack.hidden.users attack.T1564.002 ·
Share on:
Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.

Read More
Hidden User Creation
Oct 25, 2022 · attack.defense_evasion attack.t1564.002 ·
Share on:
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option

Read More