← Back to SOC feed Coverage →

Creation of a Local Hidden User Account by Registry

sigma HIGH SigmaHQ
T1136.001
imRegistry
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-24T11:00:00Z · Confidence: medium

Hunt Hypothesis

Sysmon registry detection of a local hidden user account.

Detection Rule

Sigma (Original)

title: Creation of a Local Hidden User Account by Registry
id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
status: test
description: Sysmon registry detection of a local hidden user account.
references:
    - https://twitter.com/SBousseaden/status/1387530414185664538
author: Christian Burkard (Nextron Systems)
date: 2021-05-03
modified: 2025-10-31
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
        TargetObject|endswith: '$\(Default)'
        Image|endswith: '\lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml
simulation:
    - type: atomic-red-team
      name: Create Hidden User in Registry
      technique: T1564.002
      atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\SAM\\SAM\\Domains\\Account\\Users\\Names*" and RegistryKey endswith "$\\(Default)" and ActingProcessName endswith "\\lsass.exe"

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml