206. That's How Adversaries Hide User Accounts from the Windows Login Screen

Hello everyone!

Adversary may use hidden accounts to access a compromised infrastructure. Such accounts won't be displayed on Welcome or login screen, but still can be used, for example, to log in using Remote Desktop Protocol (RDP).

To hide a user account from the Windows login screen, a threat actor may modify registry. For example, here's how Chaos ransomware gang does it:

cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist /v $user_account /t REG_DWORD /d 0 /f  

And yes, we can hunt for similar registry modification events:

event_type: "processcreatewin"

AND

proc_file_path: "reg.exe"

AND

cmdline: ("add" AND "Winlogon\\SpecialAccounts\\Userlist")

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge