Detectionhightest

Creation of a Local Hidden User Account by Registry

Sysmon registry detection of a local hidden user account.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Christian Burkard (Nextron Systems)Created Mon May 03Updated Fri Oct 31460479f3-80b7-42da-9c43-2cc1d54dbccdwindows

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
        TargetObject|endswith: '$\(Default)'
        Image|endswith: '\lsass.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

twitter.com

Testing & Validation

Simulations

atomic-red-teamT1564.002

View on ART

Create Hidden User in Registry

GUID: 173126b7-afe4-45eb-8680-fa9f6400431c

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0003 · Persistence

Sub-techniques

T1136.001 · Local Account

Rule Metadata

Rule ID

460479f3-80b7-42da-9c43-2cc1d54dbccd

Status

test

Level

high

Type

Detection

Created

Mon May 03

Modified

Fri Oct 31

Author

Christian Burkard (Nextron Systems)

Path

rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml

Raw Tags

attack.persistenceattack.t1136.001

View on GitHub