T1564.002 Google Chronicle · YARA-L

Detect Hidden Users in Google Chronicle

Adversaries may use hidden users to hide the presence of user accounts they create or modify. On Windows, accounts can be hidden from the login screen by setting a registry value under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList with a DWORD value of 0 for the username. On macOS, adversaries can set a user's UID below 500 or set a UserShell property to /usr/bin/false to hide them. Threat actors including Dragonfly, Kimsuky, and SMOKEDHAM malware use hidden user accounts for persistent backdoor access.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.002 Hidden Users
Canonical reference
https://attack.mitre.org/techniques/T1564/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule hidden_user_account_creation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1564.002 Hidden Users via registry manipulation of SpecialAccounts\\UserList or suspicious local user account creation"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1564.002"
    reference = "https://attack.mitre.org/techniques/T1564/002/"

  events:
    (
      // Registry-based user hiding (Sysmon Event 12/13)
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and re.regex($e.target.registry.registry_key, `(?i)Winlogon\\SpecialAccounts\\UserList`)
    )
    or
    (
      // Windows Security: new user account created (Event 4720)
      $e.metadata.event_type = "USER_CREATION"
      and $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    )
    or
    (
      // Windows Security: user added to Administrators group (Event 4732)
      $e.metadata.event_type = "GROUP_MODIFICATION"
      and $e.target.group.group_display_name = /(?i)administrators/
      and $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    )
    or
    (
      // net.exe user add command
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.target.process.file.full_path, `(?i)(net|net1)\.exe$`)
      and re.regex($e.target.process.command_line, `(?i)user.+/add`)
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1564.002 Hidden Users activity including SpecialAccounts\UserList registry modifications that hide user accounts from the Windows login screen, new account creation events, administrative group membership changes, and net.exe user add commands.

Data Sources

Google Chronicle SIEM with Windows Event Forwarding (WEF)Sysmon logs ingested via Chronicle forwarderWindows Security Events via Chronicle Windows Sensor

Required Tables

UDM Events (registry_modification, user_creation, group_modification, process_launch)

False Positives & Tuning

  • Enterprise desktop management platforms (e.g., Tanium, BigFix) that programmatically create local accounts for agent operation and suppress them from the login UI
  • Kiosk mode configuration tools that deliberately hide administrator or service accounts from the Windows logon screen using the SpecialAccounts registry key as an intended feature
  • Privileged Access Workstation (PAW) hardening scripts that create local emergency access accounts and configure them as hidden per organizational security policy
Download portable Sigma rule (.yml)

Other platforms for T1564.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Hidden User Account via Registry

    Expected signal: Windows Security Event ID 4720 (User Account Created) for HiddenTestUser. Sysmon Event ID 13 (Registry Value Set) for the SpecialAccounts key. Security Event ID 4688 for net.exe and reg.exe process creation.

  2. Test 2Create Hidden Admin User Account

    Expected signal: Security Event ID 4720 (user created), 4732 (added to Administrators group), 4688 for net.exe x2 and reg.exe. Sysmon EventCode=13 for SpecialAccounts registry modification.

  3. Test 3Enumerate Hidden User Accounts

    Expected signal: Security Event ID 4688 for reg.exe process creation. The query itself does not create events but identifies existing hidden accounts. No registry write events are generated.

Last updated: 2026-04-21 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1564.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1136.001Local AccountT1098Account ManipulationT1078Valid AccountsT1021.001Remote Desktop Protocol

Same Tactic: Defense Evasion

Popular Detections