New or Renamed User Account with '$' Character (cfeed607-6aa4-4bbd-9627-b637deb723c8)
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| New or Renamed User Account with '$' Character (cfeed607-6aa4-4bbd-9627-b637deb723c8) | Sigma-Rules | Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) | Attack Pattern | 1 |