Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1001: Analytic 1001

Registry modifications to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList setting user visibility to 0, or creation of user accounts not shown on login screen. Defender view: correlation of account creation with registry edits that mark users hidden.

EnterpriseAN1001AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because hidden local Windows accounts can undermine executive confidence in access governance and incident containment. The ATT&CK object focuses on registry changes that hide accounts from the Windows logon screen, especially when correlated with account creation. For leaders, the practical question is whether the organization can prove that local account creation and account-hiding registry changes are visible, investigated, and governed.

Executive priority

Prioritize this as an identity and endpoint resilience validation item for Windows environments. It supports decisions around local administrator governance, SOC monitoring quality, incident response scoping, and audit evidence for account lifecycle controls. The business risk is not the registry key alone, but the possibility that an unauthorized or unmanaged account persists outside normal visibility and review processes.

Technical view

Validate whether Windows telemetry captures both sides of the analytic: local account creation and registry modification under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList where user visibility is set to 0. Because ATT&CK provides no tactic mapping, detection text, or relationship context for this analytic, SOC teams should treat it as a focused detection validation rather than a complete behavior chain. Correlation should distinguish expected administrative provisioning from suspicious account hiding behavior.

Likely telemetry

  • Windows security events or equivalent endpoint telemetry for local user account creation
  • Windows registry modification telemetry for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
  • Endpoint detection and response telemetry showing process, user, and host context for registry edits
  • Asset and identity inventory showing authorized local accounts
  • Change-management or administrative activity records to support triage

Detection direction

  • Confirm collection of registry value changes under the Winlogon SpecialAccounts UserList path on Windows hosts.
  • Correlate account creation events with nearby registry edits that set account visibility to 0.
  • Tune for legitimate administrative workflows, build images, break-glass account handling, or endpoint management tools that may create or modify local accounts.
  • Alert quality should depend on context: account name, creating principal, host criticality, whether the account is authorized, and whether the registry edit was expected.
  • Review blind spots where registry auditing, EDR registry telemetry, or local account creation logging is absent or inconsistently retained.

Mitigation priorities

  • Maintain an approved inventory and ownership model for local Windows accounts, including break-glass accounts.
  • Restrict and monitor privileges capable of creating local accounts or modifying sensitive registry paths.
  • Use change-control evidence to separate authorized account administration from suspicious account hiding behavior.
  • Ensure incident response playbooks include validation of hidden local accounts during Windows host containment and recovery.
  • Periodically test telemetry and alerting for this behavior in representative Windows environments.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique entry. It provides a specific Windows registry/account-correlation idea but no official detection logic, no tactics, and no relationship context. Glexia’s recommended use is as a control-validation and SOC engineering prompt: can the organization see and explain local account creation plus registry-based account hiding?

The supplied ATT&CK fields only support Windows scope and the described registry/account behavior. They do not support claims about adversary use, prevalence, attribution, impact, specific tools, or guaranteed detection. Local baselines and administrative processes are required to determine severity and false positives.

Official MITRE ATT&CK definition

Analytic 1001

Registry modifications to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList setting user visibility to 0, or creation of user accounts not shown on login screen. Defender view: correlation of account creation with registry edits that mark users hidden.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f0cd2273434d3b5a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f0cd2273434d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use