Blue Team-System Live Analysis [Part 7]- Windows: User Account Forensics- Categorization and Profiling

Let’s Connect | LinkedIn | Twitter

Here we are with the second phase of windows user accounts live forensics to categorize the local user accounts in a windows test system and profile them into four categories as follows:

  • Valid Users with Valid Groups and permissions
  • Valid Users with odd groups and permissions
  • Newly Created Users [Unknowns]
  • Missing Users!

Note: It is essential to understand the operational needs, business logic, and standard configuration [baseline] of the targeted system and form a standard system profile to look for any deviation accordingly.

Read more on previous parts: Users, Groups, and Privileges | User Account Forensics-Road Map

1. When users created?

One of the main steps in user account forensics is to check when the user is created and who created it! Especially for the newly created accounts where the system/network admins are not aware of them.

Check the user folders: Not really!

I came across many resources that checked the user folder creation time and considered it a fast way to determine when that user was created.

User Folder Creation Time

This is the user profile folder’s creation time and may not represent the user’s actual birthday! There is a chance that the user was created earlier than its profile folder!

Tip: We still need the folder creation time as it gives us an idea about the time gap between user creation and the First-time Login!!

Windows Event ID 4720

As we discussed earlier, if logs were enabled, we can use the event ID of 4720 to check when a user created and by who.

Windows Event Log for Created Users

The above result shows that the user sechub [Target Account]was created by Cyfohub [Subject] on 15 of March 2021.

Note: As shown in the different results above, the user “sechub” was created at 13:45 while the user profile folder was created at 14:22. This is the gap between user creation and the First-time Login.

There are other users and all created by Cyfohub, so what is the story behind this creator?!

Correlation: User and User folder Creation Time and Windows Install Date

The figure above shows the correlation between the user and user profile creation time and the windows installation time. You should have guessed correctly by now! The account was created during the first installation of Windows.

Windows registry and SAM hive

The SAM hive of windows registry is another great source of data to look for user account information in case the event logs are not available. The SAM hive located at HKEY_LOCAL_MACHINE\SAM, however, it is protected by the system account and can’t be viewed if the registry editor opens with the current account even if the account has admin rights.

To view the SAM hive the windows registry editor [regedit] must be opened with the system account by using tools such as PsExec.

SAM Hive in Windows Registry

Even though we can view the list of user accounts, we need the SAM hive parser tools such as RegRipper to get all related information.

Note: RegRipper cant access the SAM file located in system32\config, thus we need to save the hive into a file as follows:

Exporting SAM Hive

Now we can use the RegRipper to parse the SAM hive.

The RegRipper

The result will be saved into the text file we defined as a Report File:

User Creation Time from SAM Hive

2. When a user assigned to a group?

A simple net user command shows the sechub is part of the local admin group.

A User Account Group

Event ID 4732: A member was added to a security-enabled local group

Windows Event for User Account that has been added to a Group

The wevtutil command displays all the events with the ID of 4732 regardless of the group name.

Powershell helps us to display results for a particular group or user account. For instance, the command below shows the events with the ID of 4732 associated with the local administrator and sechub user accounts only[based on SID].

Powershell Command to obtain information for a specific user.

The sechub account was added to the admin group by Cyfohub on 15 MARCH 2021. The above commands can be used to obtain information about event ID 4733 to check if a user account was removed from a security-enabled local group.

3. Is there any hidden user?

A hacker who gained initial access to our system may create a user account to maintain access and hide it from the Windows login screen! There are many ways to hide a user account, and one is via the Windows registry.

Hiding Users via Registry

Reg Query

Reg query assists to obtain the list of users from the above location if there is any :

A hidden User in Registry


The RegScanner developed by Nirsoft is a GUI-based to receive information for Windows Registry.

Note: Do not copy any tool to the target systems; save all things you need on a forensically clean external storage and connect it to the victim system using write blockers.

RegScanner Scan Settings
RegScanner Scan Results

Note 1: The time shown by the above command and tool is the last time that registry key was updated [last-modified timestamp] or modified as the registry doesn’t keep a record of creation time.

Note 2: We cannot determine which user account made changes or modifications unless we use object access auditing to audit registry changes.

4. When a user Deleted?

We are mainly thinking of how hackers may misuse valid user accounts; however, they may also delete, disable or limit the account to interrupt legitimate accesses. Let’s look at the user accounts list again and focus on RIDs range 1XXX.

User Account on Test System

Why are the RIDs 1001 and 1005? What happened to 1000? How about 1002, 1003, and 1004? it’s an excellent question!

Fact 1: RID is given to user accounts at creation.

Fact 2: Any time a user is created, the RID increased by one.

Considering the facts above, we can say there were few user accounts deleted from that system. What are those deleted users? Event ID 4726 indicates a user accounts deletion.

Windows Event for Deleted Users

The above result shows that the user Meisam [Target Account]was deleted by Cyfohub [Subject] on 15 of March 2021. There are other deleted accounts as follows:

All Deleted Users on Test System

Four user accounts were deleted from our test system, as shown in the results above; however, we may only need to focus on 3 of them! Why!

Tip: Defaultuser0 is a default account used by windows during installation and up before any other user accounts have been created on the system. It will be deleted right after the first reboot during the installation.

5. Summary of Fininindg

The table below summarises all findings regarding the existing and deleted accounts [It’s just a template as a sample, and you can make it based on your style].

User Account Profiling Sample

For the above example, we need more verification and further investigation on red categories as they are tagged as suspicious. However, it's not the end of the story? Why!

Cybercriminals may misuse valid accounts like Cyfohub to carry out malicious activities; even though creation and privileges are normal, we need to look for other related information to look for potential attacks!

6. What’s Next!

  • Users’ Logon Sessions
  • Owned App and Services
  • Owned Processes and Files
  • Profiles and Searches
  • Environment Variables
  • Program Execution History

Stay safe and tuned….

by Meisam Eslahi