206. That's How Adversaries Hide User Accounts from the Windows Login Screen
Hello everyone!
Adversary may use hidden accounts to access a compromised infrastructure. Such accounts won't be displayed on Welcome or login screen, but still can be used, for example, to log in using Remote Desktop Protocol (RDP).
To hide a user account from the Windows login screen, a threat actor may modify registry. For example, here's how Chaos ransomware gang does it:
cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist /v $user_account /t REG_DWORD /d 0 /f
And yes, we can hunt for similar registry modification events:
event_type: "processcreatewin"
AND
proc_file_path: "reg.exe"
AND
cmdline: ("add" AND "Winlogon\\SpecialAccounts\\Userlist")
See you tomorrow!
Comments
Post a Comment