Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
In macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value
TRUE in the
/Library/Preferences/com.apple.loginwindow plist file. Every user has a userID associated with it. When the
Hide500Users key value is set to
TRUE, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the
dscl utility to create hidden user accounts by setting the
IsHidden attribute to
1. Adversaries can also hide a user’s home folder by changing the
chflags to hidden.
Adversaries may similarly hide user accounts in Windows. Adversaries can set the
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key value to
0 for a specific user to prevent that user from being listed on the logon screen.
On Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the
gsettings command (ex:
sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true). Display Managers are not anchored to specific distributions and may be changed by a user or adversary.
|M1028||Operating System Configuration||
If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that could be taken to add a new user and subsequently hide it from login screens.
Monitor for changes made to files that may use hidden users to mask the presence of user accounts they create or modify. Monitor for changes made to the
Monitor newly executed processes for actions that could be taken to add a new user and subsequently hide it from login screens.
|DS0002||User Account||User Account Creation||
Monitor for newly constructed user accounts, such as userIDs under 500 on macOS, that may mask the presence of user accounts they create or modify.
|User Account Metadata||
Monitor for contextual data about an account, which may include a username, user ID, environmental data that may mask the presence of user accounts they create or modify. On macOS, identify users with an userID under 500 and the
|DS0024||Windows Registry||Windows Registry Key Modification||
Monitor for changes made to windows registry key or values for unexpected modifications of the