Hide Artifacts: Hidden Users

Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.

In macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value Hide500Users to TRUE in the /Library/Preferences/com.apple.loginwindow plist file.[1] Every user has a userID associated with it. When the Hide500Users key value is set to TRUE, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the dscl utility to create hidden user accounts by setting the IsHidden attribute to 1. Adversaries can also hide a user’s home folder by changing the chflags to hidden.[2]

Adversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.[3][4]

On Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the gsettings command (ex: sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true).[5] Display Managers are not anchored to specific distributions and may be changed by a user or adversary.

ID: T1564.002
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Omkar Gudhate
Version: 1.2
Created: 13 March 2020
Last Modified: 19 April 2022

Procedure Examples

ID Name Description
G0035 Dragonfly

Dragonfly has modified the Registry to hide created user accounts.[4]

G0094 Kimsuky

Kimsuky has run reg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v to hide a newly created user.[6]

S0649 SMOKEDHAM

SMOKEDHAM has modified the Registry to hide created user accounts from the Windows logon screen. [3]

Mitigations

ID Mitigation Description
M1028 Operating System Configuration

If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow Hide500Users value will force all users to be visible.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that could be taken to add a new user and subsequently hide it from login screens.

DS0022 File File Modification

Monitor for changes made to files that may use hidden users to mask the presence of user accounts they create or modify. Monitor for changes made to the /Library/Preferences/com.apple.loginwindow plist file for unexpected modifications to the Hide500Users key value on macOS.[1]

DS0009 Process Process Creation

Monitor newly executed processes for actions that could be taken to add a new user and subsequently hide it from login screens.

DS0002 User Account User Account Creation

Monitor for newly constructed user accounts, such as userIDs under 500 on macOS, that may mask the presence of user accounts they create or modify.

User Account Metadata

Monitor for contextual data about an account, which may include a username, user ID, environmental data that may mask the presence of user accounts they create or modify. On macOS, identify users with an userID under 500 and the Hide500Users key value in the /Library/Preferences/com.apple.loginwindow plist file set to TRUE.[1]

DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to windows registry key or values for unexpected modifications of the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList key.

References