Hiding local user accounts

Aug 10, 2024 · attack.hidden.users attack.T1564.002 ·

Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.

Sigma rule (View on GitHub)

 1title: Hiding local user accounts
 2id: 9ec9fb1b-e059-4489-9642-f270c207923d
 3description: Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.
 4status: experimental
 5references:
 6    - <Report TBD>
 7author: '@Kostastsale, @TheDFIRReport'
 8date: 2022/05/14
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection1:
14        ParentImage|endswith:
15          - '\cmd.exe'
16          - '\powershell.exe'
17        Image|endswith:
18          - '\reg.exe'
19        CommandLine|contains|all:
20          - 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist'
21          - 'add'
22          - '/t'
23          - 'REG_DWORD'
24          - '/v'
25          - '/d 0'
26    condition: selection1
27falsepositives:
28    - System administrator activities
29level: medium
30tags:
31    - attack.hidden.users
32    - attack.T1564.002```

References

<Report TBD>

Read More