Hiding User Account from Sign-In Screen via Registry Modification

This brief addresses the technique of hiding user accounts from the Windows sign-in screen through registry modification. Attackers may modify the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist to prevent specific user accounts from appearing on the login screen. This is often done to conceal malicious accounts created for persistence or lateral movement, making it difficult for legitimate users or administrators to detect unauthorized access. The activity is typically performed after initial compromise and aims to maintain a persistent, stealthy presence on the system. This technique has been observed in conjunction with malware such as XMRig, Azorult, and Warzone RAT.

Attack Chain

1. Initial access is gained through an unknown method.
2. The attacker obtains administrative privileges on the target system.
3. The attacker identifies the target user account to hide.
4. The attacker modifies the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\<username>.
5. The attacker sets the value of the registry key to “0x00000000” to hide the user account.
6. The attacker uses the hidden account to perform malicious activities, such as lateral movement or data exfiltration.
7. The attacker maintains persistence on the system through the hidden account, evading detection.

Impact

Successful execution of this technique allows attackers to maintain a persistent presence on compromised systems, potentially leading to data theft, system compromise, or further malicious activities. Hiding user accounts makes it more difficult for legitimate users and administrators to detect unauthorized access, increasing the dwell time of the attacker. This technique has been observed in association with malware families such as XMRig, Azorult, and Warzone RAT, indicating its use in financially motivated and espionage campaigns.

Recommendation

• Enable Sysmon Event ID 13 logging to monitor registry modifications on endpoints.
• Deploy the Sigma rule “Detect Hidden User Account via Registry Modification” to detect the specific registry modification described in this brief.
• Investigate any alerts generated by the Sigma rule, focusing on systems where suspicious or unknown accounts have been created.
• Review systems identified in the dfir report referenced for similar activity.