{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/hidden_account/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike FDR"],"_cs_severities":["high"],"_cs_tags":["persistence","windows","local_account","hidden_account"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis rule identifies the creation of hidden local user accounts on Windows systems. Attackers create these accounts by appending a dollar sign ($) to the account name, which hides them from standard account listings using the \u003ccode\u003enet users\u003c/code\u003e command. This technique allows the attacker to maintain persistent access to a compromised system while avoiding basic detection methods. The rule leverages registry event monitoring to detect the creation of these accounts by observing writes to specific registry paths under the \u003ccode\u003eSAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\u003c/code\u003e key. This technique has been observed in campaigns attributed to Lazarus Group.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an undisclosed method.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to a level where they can modify the SAM database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., \u003ccode\u003enet user\u003c/code\u003e, PowerShell) to create a new local user account, appending a \u003ccode\u003e$\u003c/code\u003e to the username.\u003c/li\u003e\n\u003cli\u003eThe tool writes to the registry under \u003ccode\u003eHKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\u003c/code\u003e to create the hidden account.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the new account to local groups, such as \u003ccode\u003eAdministrators\u003c/code\u003e or \u003ccode\u003eRemote Desktop Users\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may enable the account and set a password.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the hidden account to maintain persistent access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as lateral movement, data exfiltration, or installing backdoors, using the created hidden account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful creation of a hidden local user account allows an attacker to maintain persistent and potentially undetected access to a compromised system. This access can be used for a variety of malicious purposes, including data theft, installation of malware, and further compromise of the network. While the exact victim count is unknown, this technique is a common persistence mechanism used by various threat actors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Hidden Local Account Creation via Registry Modification\u0026rdquo; to your SIEM to detect this specific technique.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event monitoring with event ID 12 and 13 to capture registry modifications, which is required for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eReview the references provided for additional context and hunting queries related to this technique.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the process creating the registry entries and any subsequent activity from the newly created account, as outlined in the rule\u0026rsquo;s \u0026ldquo;False positive analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eUse the investigation fields to review process and child activity on the host, as well as alerts associated with the creating identity and the host itself.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:38:50Z","date_published":"2026-05-12T18:38:50Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hidden-account-creation/","summary":"Detects the creation of a hidden local user account by appending a dollar sign ($) to the account name, a technique used by attackers to persist on a system and evade standard account listing methods.","title":"Creation of a Hidden Local User Account","url":"https://feed.craftedsignal.io/briefs/2026-05-hidden-account-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Hidden_account","version":"https://jsonfeed.org/version/1.1"}