Hide Artifacts: Hidden Users

Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.

There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the Create Account technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. [1].

ID: T1564.002
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: macOS
Permissions Required: Administrator, root
Data Sources: File: File Modification, User Account: User Account Creation, User Account: User Account Metadata
Version: 1.0
Created: 13 March 2020
Last Modified: 31 July 2020


ID Mitigation Description
M1028 Operating System Configuration

If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow Hide500Users value will force all users to be visible.


This technique prevents the new user from showing up at the log in screen, but all of the other signs of a new user still exist. The user still gets a home directory and will appear in the authentication logs.