- Home
- Techniques
- Enterprise
- Hide Artifacts
- Hidden Users
Hide Artifacts: Hidden Users
Other sub-techniques of Hide Artifacts (7)
ID | Name |
---|---|
T1564.001 | Hidden Files and Directories |
T1564.002 | Hidden Users |
T1564.003 | Hidden Window |
T1564.004 | NTFS File Attributes |
T1564.005 | Hidden File System |
T1564.006 | Run Virtual Instance |
T1564.007 | VBA Stomping |
Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
There is a property value in /Library/Preferences/com.apple.loginwindow
called Hide500Users
that prevents users with userIDs 500 and lower from appearing at the login screen. When using the Create Account technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401
) and enabling this property (setting it to Yes), an adversary can conceal user accounts. [1].
Mitigations
Mitigation | Description |
---|---|
Operating System Configuration |
If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the |
Detection
This technique prevents the new user from showing up at the log in screen, but all of the other signs of a new user still exist. The user still gets a home directory and will appear in the authentication logs.