T1564.002 Hidden Users Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Winlogon\\SpecialAccounts\\UserList"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName in~ ("net.exe", "net1.exe")
  | where ProcessCommandLine has "user" and ProcessCommandLine has "/add"
  | extend UserAdd = ProcessCommandLine has "/add"
  | extend ToAdmins = ProcessCommandLine has_any ("administrators", "admins")
  | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, UserAdd, ToAdmins
  | sort by Timestamp desc
)

high severity high confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification User Account: User Account Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceProcessEvents

False Positives

Administrators configuring service accounts that should not appear on the login screen for security reasons
Enterprise management tools (SCCM, MDM solutions) that create management accounts hidden from regular login screens
Built-in Windows service accounts that are legitimately hidden via the SpecialAccounts mechanism
IT staff creating dedicated administrator accounts that should not be visible to standard users

Splunk

spl

(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
TargetObject="*Winlogon\\SpecialAccounts\\UserList*")
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720)
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=4732 Message="*Administrators*")
| eval HiddenUserReg=if(match(TargetObject, "SpecialAccounts"), 1, 0)
| eval UserCreated=if(EventCode=4720, 1, 0)
| eval AddedToAdmins=if(EventCode=4732, 1, 0)
| table _time, host, User, EventCode, TargetObject, Details, Image, Message
| sort - _time

high severity high confidence

Data Sources

Windows Registry: Sysmon EventCode 12/13 User Account: Windows Security EventCode 4720 Group: Windows Security EventCode 4732

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Administrators configuring service accounts hidden from login screens
Enterprise management tools creating management accounts
Built-in Windows service accounts legitimately hidden
IT staff creating dedicated hidden administrator accounts

Elastic Security (EQL)

eql

any where (
  (event.category == "registry" and event.type in ("creation", "change") and
   registry.path like "*Winlogon\\SpecialAccounts\\UserList*")
  or
  (event.category == "process" and event.type == "start" and
   process.name in~ ("net.exe", "net1.exe") and
   process.args : "user" and process.args : "/add")
  or
  (event.category == "iam" and event.action in ("user-created", "added-user-account"))
)

high severity high confidence

Data Sources

Windows Registry Events (Sysmon/Winlogbeat) Windows Process Events Windows Security Events via Winlogbeat

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.process-* logs-endpoint.events.iam-* winlogbeat-*

False Positives

System administrators legitimately hiding service or kiosk accounts from the Windows login screen using SpecialAccounts\UserList for UI cleanliness
IT provisioning scripts that create user accounts in bulk using net.exe as part of automated onboarding workflows
Security tools or endpoint management software (e.g., SCCM, Intune) that create local accounts during software deployment

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       sourceip, username, QIDNAME(qid) AS event_name,
       "TargetObject", "Details", "Image", LOGSOURCENAME(logsourceid) AS log_source,
       CATEGORYNAME(category) AS event_category
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (143, 12, 433)
  AND starttime > NOW() - 86400000
  AND (
    (QIDNAME(qid) LIKE '%Registry%' AND "TargetObject" LIKE '%SpecialAccounts%UserList%')
    OR
    ("EventID" IN ('4720') )
    OR
    ("EventID" IN ('4732') AND "Message" LIKE '%Administrators%')
    OR
    ("CommandLine" LIKE '%net%user%/add%' OR "CommandLine" LIKE '%net1%user%/add%')
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Event Log (Security) Sysmon via WinCollect or Wincollect Universal Windows audit events forwarded to QRadar

Required Tables

events

False Positives

Legitimate IT admin activity creating local accounts for shared workstations or kiosk systems that need to be hidden from login UI
Domain join scripts or Group Policy preferences that add accounts and configure SpecialAccounts registry entries as part of standard desktop imaging
Endpoint monitoring or backup agents that create local service accounts during installation using net.exe

Sumo Logic CSE

sql

_sourceCategory=windows* (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND (EventCode=12 OR EventCode=13) AND TargetObject=*SpecialAccounts*UserList*)
  OR
  (sourcetype="WinEventLog:Security" AND (EventCode=4720 OR (EventCode=4732 AND Message=*Administrators*)))
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1 AND (Image=*net.exe OR Image=*net1.exe) AND CommandLine=*user* AND CommandLine=*/add*)
)
| parse field=TargetObject "*" as registry_target nodrop
| parse field=CommandLine "net*user * /add" as added_user nodrop
| eval detection_type = if(!isnull(TargetObject) AND TargetObject matches ".*SpecialAccounts.*", "HiddenUserRegistry",
    if(EventCode="4720", "UserCreated",
    if(EventCode="4732", "AddedToAdmins",
    if(!isnull(CommandLine) AND CommandLine matches ".*user.*/add.*", "NetUserAdd", "Unknown"))))
| table _time, host, user, EventCode, TargetObject, Details, Image, CommandLine, Message, detection_type
| sort by _time desc

high severity high confidence

Data Sources

Sysmon (Microsoft-Windows-Sysmon/Operational via Sumo Logic collector) Windows Security Event Log Sumo Logic Windows Collection Agent

Required Tables

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Automated account provisioning systems (e.g., Active Directory sync scripts, SCCM) that create local user accounts using net.exe as part of standard image deployment
Security hardening scripts that deliberately set SpecialAccounts\UserList entries to hide built-in or service accounts from the login screen as a CIS Benchmark control
IT help desk or remote support tools that temporarily create local admin accounts to support troubleshooting sessions

Google Chronicle / SecOps

yaral

rule hidden_user_account_creation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1564.002 Hidden Users via registry manipulation of SpecialAccounts\\UserList or suspicious local user account creation"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1564.002"
    reference = "https://attack.mitre.org/techniques/T1564/002/"

  events:
    (
      // Registry-based user hiding (Sysmon Event 12/13)
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and re.regex($e.target.registry.registry_key, `(?i)Winlogon\\SpecialAccounts\\UserList`)
    )
    or
    (
      // Windows Security: new user account created (Event 4720)
      $e.metadata.event_type = "USER_CREATION"
      and $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    )
    or
    (
      // Windows Security: user added to Administrators group (Event 4732)
      $e.metadata.event_type = "GROUP_MODIFICATION"
      and $e.target.group.group_display_name = /(?i)administrators/
      and $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    )
    or
    (
      // net.exe user add command
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.target.process.file.full_path, `(?i)(net|net1)\.exe$`)
      and re.regex($e.target.process.command_line, `(?i)user.+/add`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM with Windows Event Forwarding (WEF) Sysmon logs ingested via Chronicle forwarder Windows Security Events via Chronicle Windows Sensor

Required Tables

UDM Events (registry_modification, user_creation, group_modification, process_launch)

False Positives

Enterprise desktop management platforms (e.g., Tanium, BigFix) that programmatically create local accounts for agent operation and suppress them from the login UI
Kiosk mode configuration tools that deliberately hide administrator or service accounts from the Windows logon screen using the SpecialAccounts registry key as an intended feature
Privileged Access Workstation (PAW) hardening scripts that create local emergency access accounts and configure them as hidden per organizational security policy

CrowdStrike LogScale (CQL)

cql

// Hidden User Detection — T1564.002
// Branch 1: Registry modification to SpecialAccounts\UserList
#event_simpleName=RegGenericValueUpdate OR #event_simpleName=RegKeyCreatedValue
| TargetObject = /SpecialAccounts\\UserList/i
| table([_time, ComputerName, UserName, TargetObject, RegValueName, RegValueData, ImageFileName, CommandLine])

// Branch 2: net.exe or net1.exe user add commands
| union (
    #event_simpleName=ProcessRollup2
    | FileName = /^(net|net1)\.exe$/i
    | CommandLine = /user.*/add/i
    | table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName])
)

// Branch 3: New local user account created (Windows Security Event 4720 via Sysmon)
| union (
    #event_simpleName=UserAccountCreated
    | table([_time, ComputerName, UserName, SubjectUserName, TargetUserName])
)
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Activity Monitoring Falcon Process Activity (ProcessRollup2) Falcon Registry Activity Falcon Identity Events

Required Tables

RegGenericValueUpdate RegKeyCreatedValue ProcessRollup2 UserAccountCreated

False Positives

Windows deployment automation (e.g., MDT, WDS) that creates local accounts using net.exe during OS imaging and hides default service accounts via SpecialAccounts registry keys as part of the image template
Legitimate system management scripts run by IT administrators that create temporary local accounts for remote support or break-glass access scenarios
Endpoint security products or privileged access management tools that create local admin accounts with registry-based UI suppression to prevent end-user awareness of the account

Hidden Users

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections