Try in Splunk Security Cloud

Description

This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-05-05
  • Author: Teoderick Contreras, Splunk
  • ID: 834ba832-ad89-11eb-937d-acde48001122

ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion
T1562 Impair Defenses Defense Evasion

| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" AND Registry.registry_value_name = "DWORD (0x00000000)" by Registry.dest Registry.user Registry.registry_value_name 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `drop_dm_object_name(Registry)` 
| `hide_user_account_from_sign_in_screen_filter`

Associated Analytic Story

How To Implement

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as CarbonBlack or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.registry_value_name
  • Registry.dest Registry.user

Kill Chain Phase

  • Exploitation

Known False Positives

Unknown. Filter as needed.

RBA

Risk Score Impact Confidence Message
72.0 90 80 Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1