Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

New or Renamed User Account with '$' Character

Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ilyas Ochkov, oscd.communityCreated Fri Oct 25Updated Tue Jan 16cfeed607-6aa4-4bbd-9627-b637deb723c8windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic3 selectors
detection:
    selection_create:
        EventID: 4720 # create user
        SamAccountName|contains: '$'
    selection_rename:
        EventID: 4781 # rename user
        NewTargetUserName|contains: '$'
    filter_main_homegroup:
        EventID: 4720
        TargetUserName: 'HomeGroupUser$'
    condition: 1 of selection_* and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
cfeed607-6aa4-4bbd-9627-b637deb723c8
Status
test
Level
medium
Type
Detection
Created
Fri Oct 25
Modified
Tue Jan 16
Author
Ilyas Ochkov, oscd.community
Path
rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml
Raw Tags
attack.defense-evasionattack.t1036
View on GitHub