Detect Hidden Users in Sumo Logic CSE
Adversaries may use hidden users to hide the presence of user accounts they create or modify. On Windows, accounts can be hidden from the login screen by setting a registry value under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList with a DWORD value of 0 for the username. On macOS, adversaries can set a user's UID below 500 or set a UserShell property to /usr/bin/false to hide them. Threat actors including Dragonfly, Kimsuky, and SMOKEDHAM malware use hidden user accounts for persistent backdoor access.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.002 Hidden Users
- Canonical reference
- https://attack.mitre.org/techniques/T1564/002/
Sumo Detection Query
_sourceCategory=windows* (
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND (EventCode=12 OR EventCode=13) AND TargetObject=*SpecialAccounts*UserList*)
OR
(sourcetype="WinEventLog:Security" AND (EventCode=4720 OR (EventCode=4732 AND Message=*Administrators*)))
OR
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1 AND (Image=*net.exe OR Image=*net1.exe) AND CommandLine=*user* AND CommandLine=*/add*)
)
| parse field=TargetObject "*" as registry_target nodrop
| parse field=CommandLine "net*user * /add" as added_user nodrop
| eval detection_type = if(!isnull(TargetObject) AND TargetObject matches ".*SpecialAccounts.*", "HiddenUserRegistry",
if(EventCode="4720", "UserCreated",
if(EventCode="4732", "AddedToAdmins",
if(!isnull(CommandLine) AND CommandLine matches ".*user.*/add.*", "NetUserAdd", "Unknown"))))
| table _time, host, user, EventCode, TargetObject, Details, Image, CommandLine, Message, detection_type
| sort by _time descDetects hidden user account activity on Windows including registry modifications to SpecialAccounts\UserList to hide users from the login screen, new user account creation (EventID 4720), users added to the Administrators group (EventID 4732), and net.exe user add commands via Sysmon process events.
Data Sources
Required Tables
False Positives & Tuning
- Automated account provisioning systems (e.g., Active Directory sync scripts, SCCM) that create local user accounts using net.exe as part of standard image deployment
- Security hardening scripts that deliberately set SpecialAccounts\UserList entries to hide built-in or service accounts from the login screen as a CIS Benchmark control
- IT help desk or remote support tools that temporarily create local admin accounts to support troubleshooting sessions
Other platforms for T1564.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Hidden User Account via Registry
Expected signal: Windows Security Event ID 4720 (User Account Created) for HiddenTestUser. Sysmon Event ID 13 (Registry Value Set) for the SpecialAccounts key. Security Event ID 4688 for net.exe and reg.exe process creation.
- Test 2Create Hidden Admin User Account
Expected signal: Security Event ID 4720 (user created), 4732 (added to Administrators group), 4688 for net.exe x2 and reg.exe. Sysmon EventCode=13 for SpecialAccounts registry modification.
- Test 3Enumerate Hidden User Accounts
Expected signal: Security Event ID 4688 for reg.exe process creation. The query itself does not create events but identifies existing hidden accounts. No registry write events are generated.
References (4)
- https://attack.mitre.org/techniques/T1564/002/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md
- https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-credential-providers
- https://www.mandiant.com/resources/blog/smokedham-backdoor-delivers-cobalt-strike
Unlock Pro Content
Get the full detection package for T1564.002 including response playbook, investigation guide, and atomic red team tests.