Hiding local user accounts

May 24, 2022 · attack.hidden.users attack.T1564.002 ·

Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.

Sigma rule (View on GitHub)

 1title: Hiding local user accounts
 2description: Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.
 3status: experimental
 4references:
 5    - <Report TBD>
 6author: '@Kostastsale, @TheDFIRReport'
 7date: 2022/05/14
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection1:
13        ParentImage|endswith:
14          - '\cmd.exe'
15          - '\powershell.exe'
16        Image|endswith:
17          - '\reg.exe'
18        CommandLine|contains|all:
19          - 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist'
20          - 'add'
21          - '/t'
22          - 'REG_DWORD'
23          - '/v'
24          - '/d 0'
25    condition: selection1
26falsepositives:
27    - System administrator activities
28level: medium
29tags:
30    - attack.hidden.users
31    - attack.T1564.002```

References

<Report TBD>

Read More