https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144926#M8431 <P>Thank you for bringing this False Positive to our attention. We also had a TAC case filed on this and the issue has since been resolved. If you see the issue occur again, please open a TAC case so we can get it addressed quickly.</P> <P>Thanks,</P> <P>Matt</P> Mon, 15 Jul 2024 12:20:17 GMT Matthew Franks 2024-07-15T12:20:17Z https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144912#M8429 <P>Good morning,</P><P>Anyone else who uses Citrix and Secure Endpoint seeing alerts for Hidden User Created with the value&nbsp;CtxPkmService&nbsp;being added into&nbsp;\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList ?</P><P>This looks a FP to me. Started happening past 24 hours.<BR />Thank you for your time and help.</P> Mon, 15 Jul 2024 11:48:09 GMT https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144912#M8429 ventaran 2024-07-15T11:48:09Z https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144918#M8430 <P>Hi there!</P><P>We have had the same Issue last Thursday.&nbsp;It appears that the alert is related to a specific Citrix version update to the Workspace Client. We consider it a false positive, especially since no hidden user has been created permanently.</P><P>Regards, Frank</P> Mon, 15 Jul 2024 12:03:41 GMT https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144918#M8430 flindemann 2024-07-15T12:03:41Z https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144926#M8431 <P>Thank you for bringing this False Positive to our attention. We also had a TAC case filed on this and the issue has since been resolved. If you see the issue occur again, please open a TAC case so we can get it addressed quickly.</P> <P>Thanks,</P> <P>Matt</P> Mon, 15 Jul 2024 12:20:17 GMT https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144926#M8431 Matthew Franks 2024-07-15T12:20:17Z https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144958#M8432 <P>This is still occurring Matt.&nbsp;</P><P>We're seeing these 'Hidden User Created' detections for the Citrix 'CtxPkmService' alerts from AMP as recently as 15 minutes ago.&nbsp;</P> Mon, 15 Jul 2024 12:53:54 GMT https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144958#M8432 TaylorOfTheCave 2024-07-15T12:53:54Z https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144972#M8433 <P>Interesting. I'll reach out to the developers and see what we can do. Do you have a TAC case open I can reference?</P> <P>Thanks,</P> <P>-Matt</P> Mon, 15 Jul 2024 13:16:30 GMT https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144972#M8433 Matthew Franks 2024-07-15T13:16:30Z https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144975#M8434 <P>I'd suggest trying to update your signatures considering that is how it was resolved.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MatthewFranks_0-1721049538842.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/223450i0FE5113C93F6BED3/image-size/medium?v=v2&amp;px=400" role="button" title="MatthewFranks_0-1721049538842.png" alt="MatthewFranks_0-1721049538842.png" /></span></P> <P>In case that doesn't work, what connector version are you on?</P> <P>-Matt</P> Mon, 15 Jul 2024 13:19:18 GMT https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144975#M8434 Matthew Franks 2024-07-15T13:19:18Z https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144995#M8435 <P>I do see all of the clients who reported the FP also did Signature/Policy/Component updates within a few minutes of the detection so my expectation is that these clients had been offline since before the update was pushed via policy and they just did the scan/detection before they did the signature update.&nbsp;</P><P>I've updated our TAC case to reference that it's likely due to an order-of-operations issue with the definition update and the scan.</P> Mon, 15 Jul 2024 14:04:48 GMT https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5144995#M8435 TaylorOfTheCave 2024-07-15T14:04:48Z https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5145039#M8436 <P>We had a similar issue that started on July 9 and continued to July 12.&nbsp; Was correlated with a Citrix Receiver update.&nbsp;</P> Mon, 15 Jul 2024 15:36:04 GMT https://community.cisco.com/t5/endpoint-security/hidden-user-created-ctxpkmservice/m-p/5145039#M8436 jplopper 2024-07-15T15:36:04Z