Creation of a Hidden Local User Account

This rule identifies the creation of hidden local user accounts on Windows systems. Attackers create these accounts by appending a dollar sign ($) to the account name, which hides them from standard account listings using the net users command. This technique allows the attacker to maintain persistent access to a compromised system while avoiding basic detection methods. The rule leverages registry event monitoring to detect the creation of these accounts by observing writes to specific registry paths under the SAM\\SAM\\Domains\\Account\\Users\\Names key. This technique has been observed in campaigns attributed to Lazarus Group.

Attack Chain

1. The attacker gains initial access to the system through an undisclosed method.
2. The attacker elevates privileges to a level where they can modify the SAM database.
3. The attacker uses a tool or script (e.g., net user, PowerShell) to create a new local user account, appending a $ to the username.
4. The tool writes to the registry under HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$ to create the hidden account.
5. The attacker assigns the new account to local groups, such as Administrators or Remote Desktop Users.
6. The attacker may enable the account and set a password.
7. The attacker uses the hidden account to maintain persistent access to the system.
8. The attacker performs malicious activities, such as lateral movement, data exfiltration, or installing backdoors, using the created hidden account.

Impact

Successful creation of a hidden local user account allows an attacker to maintain persistent and potentially undetected access to a compromised system. This access can be used for a variety of malicious purposes, including data theft, installation of malware, and further compromise of the network. While the exact victim count is unknown, this technique is a common persistence mechanism used by various threat actors.

Recommendation

• Deploy the Sigma rule “Detect Hidden Local Account Creation via Registry Modification” to your SIEM to detect this specific technique.
• Enable Sysmon registry event monitoring with event ID 12 and 13 to capture registry modifications, which is required for the Sigma rule to function.
• Review the references provided for additional context and hunting queries related to this technique.
• Investigate any alerts generated by the Sigma rule, paying close attention to the process creating the registry entries and any subsequent activity from the newly created account, as outlined in the rule’s “False positive analysis” section.
• Use the investigation fields to review process and child activity on the host, as well as alerts associated with the creating identity and the host itself.