1. Home
  2. Detection Strategies
  3. Detection Strategy for Hidden User Accounts

Detection Strategy for Hidden User Accounts

Technique Detected:  Hidden Users | T1564.002

ID: DET0353
Domains: Enterprise
Analytics: AN1001, AN1002, AN1003
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1001

Registry modifications to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList setting user visibility to 0, or creation of user accounts not shown on login screen. Defender view: correlation of account creation with registry edits that mark users hidden.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) WinEventLog:Security EventCode=4720
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13
Mutable Elements
Field Description
AccountScope Restrict monitoring to privileged or unexpected accounts.
BaselineHiddenUsers Whitelist accounts that are intentionally hidden by administrators.

AN1002

Use of gsettings or direct Display Manager modifications to hide users from greeter login screen. Defender view: anomalous command execution modifying org.gnome.login-screen or other greeter configurations.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:EXECVE Execution of gsettings set org.gnome.login-screen disable-user-list true
File Modification (DC0061) auditd:FILE Modification of Display Manager configuration files (/etc/gdm3/*, /etc/lightdm/*)
Mutable Elements
Field Description
DisplayManagerScope Specify which Display Managers are in use to minimize noise.

AN1003

User creation or modification via dscl with IsHidden=1, UID<500, or plist edits to com.apple.loginwindow Hide500Users flag. Defender view: correlation of hidden account attributes with login screen exclusion.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog Execution of dscl . create with IsHidden=1
File Modification (DC0061) macos:unifiedlog Modification of /Library/Preferences/com.apple.loginwindow plist
User Account Metadata (DC0013) macos:unifiedlog Creation of user account with UID <500
Mutable Elements
Field Description
UIDThreshold Tune detection based on acceptable UID ranges for hidden/system accounts.
PlistScope Restrict plist monitoring to com.apple.loginwindow to reduce false positives.