feat(rules): Hidden local account creation

Identifies the creation of a hidden local account. Adversaries can create hidden accounts by appending the dollar sign to the account name. This technique renders the account name hidden to user enumeration tools such as net user and effectively bypasses detections.

Author: rabbitstack

rules/persistence_hidden_local_account_creation.yml

@@ -0,0 +1,28 @@
+name: Hidden local account creation
+id: bfa83754-3730-4c46-a0fd-cc71365f64df
+version: 1.0.0
+description: |
+  Identifies the creation of a hidden local account. Adversaries can create hidden accounts by
+  appending the dollar sign to the account name. This technique renders the account name hidden
+  to user enumeration tools such as `net user` and effectively bypasses detections.
+labels:
+  tactic.id: TA0003
+  tactic.name: Persistence
+  tactic.ref: https://attack.mitre.org/tactics/TA0003/
+  technique.id: T1136
+  technique.name: Create Account
+  technique.ref: https://attack.mitre.org/techniques/T1136/
+  subtechnique.id: T1136.001
+  subtechnique.name: Local Account
+  subtechnique.ref: https://attack.mitre.org/techniques/T1136/001/
+
+condition: >
+  set_value and registry.key.name imatches 
+    (
+      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\',
+      'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$\\'
+    )
+
+severity: high
+
+min-engine-version: 2.0.0