Skip to content

Hide Navigation Hide TOC

Hiding User Account Via SpecialAccounts Registry Key (f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd)

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Cluster A Galaxy A Cluster B Galaxy B Level
Hiding User Account Via SpecialAccounts Registry Key (f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd) Sigma-Rules Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern 1
Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2