- Home
- Correlation Rule Library
- Hidden Local Account Detection
Hidden Local Account Detection
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
Attackers may attempt to create a hidden local user account by appending the dollar sign to the account name. This may be done by them to increase access to a system and avoid appearing in the results of accounts listing using the net users command.
Attack chain scenario: Phishing -> Credential theft -> Hidden local account creation -> Ransomware deployment
Impact:
It can impact the organizations in the following ways:
- Data theft
- Malware deployment
- Backdoor establishment
Data source:
Windows > User Management
Required configuration: The rule is based on the user creation and user management policy. Prerequisites required are enabling the audit user management policy.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0003- Persistence
Technique: T1136- Create Account
Sub Technique: T1136.001- Local Account
Criteria:
In Windows environment, the $ symbol is conventionally used for hidden or system accounts that are meant not to be easily accessible but hidden from users.
The command checks if the user account being created ends with a $ sign.
When to enable this rule:
Security standards (NIST CSF 2.0):
Enabling this rule will help you meet the security standard's requirement listed below:
PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
When this rule is triggered, you're notified of the creation of a hidden local user account by appending the dollar sign to the account name. This enables you to review access and permissions, take corrective actions, and incorporate the least privilege policy.
Known false positives: It is quite unlikely for this event to be generated legitimately.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Deploy access controls: Implement access controls and permissions to restrict the account creation by unauthorized users.
