Skip to content
Threat Feed
high advisory

Hidden Local Account Creation via Registry Modification

Attackers may create hidden local accounts, appending a dollar sign ($) to the username, to maintain persistence and evade detection by standard enumeration tools by modifying specific registry keys.

Attackers sometimes create hidden local accounts on Windows systems to establish persistence and maintain unauthorized access. By appending a dollar sign ($) to the account name, they can effectively hide the account from standard enumeration tools like net users, and potentially evade detection mechanisms that rely on these tools. This technique involves directly modifying specific registry keys associated with user account management. The Lazarus Group has been observed utilizing similar techniques in past campaigns. This activity is often associated with post-compromise behavior, where the attacker seeks to deepen their foothold within the compromised environment. This allows the attacker to maintain access even if other initial access vectors are remediated.

Attack Chain

  1. Initial access is gained through an unknown method (e.g., exploiting a vulnerability or phishing).
  2. The attacker escalates privileges to gain administrative access to the system.
  3. The attacker uses command-line tools such as net user or PowerShell to attempt creating a new local account with a username ending in "$".
  4. The system interacts with the Security Account Manager (SAM) database to validate the new account creation.
  5. The registry key HKLM\SAM\SAM\Domains\Account\Users\Names\ (or its equivalent under \REGISTRY\MACHINE) is modified to reflect the new account. This key stores the account names.
  6. The attacker configures additional settings for the account, such as group memberships, potentially using command-line tools or PowerShell.
  7. The attacker uses the newly created hidden account to move laterally within the network, accessing sensitive resources.
  8. The attacker uses the account for long-term persistence, re-establishing access as needed.

Impact

Successful exploitation allows attackers to maintain persistent access to compromised systems, even after initial vulnerabilities are patched or initial access vectors are closed. This can lead to long-term data theft, disruption of services, or further lateral movement within the network. The creation of hidden accounts makes detection and remediation more difficult, potentially prolonging the attacker's presence within the environment.

Recommendation

  • Deploy the Sigma rule "Hidden Local Account Creation via Registry Modification" to your SIEM and tune for your environment.
  • Enable Sysmon registry event logging to activate the rule above.
  • Investigate any alerts generated by the Sigma rule, focusing on the parent processes of the registry modification events and the context of the user account performing the action.
  • Regularly audit local accounts on systems to identify any unexpected or unauthorized accounts, paying close attention to accounts with names ending in "$".
  • Implement the principle of least privilege to limit the ability of users to create new local accounts.

Detection coverage 2

Hidden Local Account Creation via Registry Modification

high

Detects the creation of a hidden local user account by monitoring registry modifications related to account creation with a username ending in '$'.

sigma tactics: defense_evasion, persistence techniques: T1136.001, T1564.002 sources: registry_set, windows

Suspicious Process Modifying SAM Registry Keys

medium

Detects suspicious processes modifying registry keys associated with user account management (SAM). This activity is often associated with malicious account creation or manipulation.

sigma tactics: defense_evasion, persistence techniques: T1136.001, T1564.002 sources: registry_set, windows

Detection queries are available on the platform. Get full rules →