Thursday, April 11, 2013


As is the case with many of the RegRipper plugins, the plugin initially came about because of something I read about, and after running it, it actually found what I was looking for in the wild.

Beneath the Winlogon key (specifically, HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon), there may be a subkey path of "SpecialAccounts\UserList".  The values listed beneath the UserList key would be user account names, and if the data associated with a value is "0", then that account will not appear on the Welcome screen (any value greater than 0 allows the account to appear on the Welcome logon screen).

I've seen this used twice in the wild...once, it worked, and the second time, the bad guy had misspelled "SpecialAccounts", and as such, the functionality that they were trying to achieve wasn't realized.  Sometimes, a little attention to detail can go a long way.

There is malware that uses these Registry keys to keep new user accounts hidden from view on a live system, such as TrojanSpy:Win32/Ursnif , Trojan:Win32/Starter, and EyeStye.  As such, this plugin can provide indicators of a malware infection, an intrusion, or of malicious user intent on the system.  However, keep in mind, that this functionality can also be used for legitimate purposes, such as hiding an Administrator or HelpDesk account from view on the Welcome screen.

As of this writing, Corey Harrell and I are finishing updates to a number of plugins, and looking at merging plugins where appropriate.  As the information that we're looking for with the plugin is beneath the Winlogon key, I've rolled the functionality into the plugin, and retired the plugin.

So, the functionality isn't going away...rather, it's going to be incorporated into an existing plugin.

No comments: