Hiding local user accounts
Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.
Sigma rule (View on GitHub)
1title: Hiding local user accounts
2description: Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.
3status: experimental
4references:
5 - <Report TBD>
6author: '@Kostastsale, @TheDFIRReport'
7date: 2022/05/14
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 ParentImage|endswith:
14 - '\cmd.exe'
15 - '\powershell.exe'
16 Image|endswith:
17 - '\reg.exe'
18 CommandLine|contains|all:
19 - 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist'
20 - 'add'
21 - '/t'
22 - 'REG_DWORD'
23 - '/v'
24 - '/d 0'
25 condition: selection1
26falsepositives:
27 - System administrator activities
28level: medium
29tags:
30 - attack.hidden.users
31 - attack.T1564.002```