Hide Artifacts: Hidden Users
Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
There is a property value in
Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the Create Account technique with a userID under 500 (ex:
sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. .
|M1028||Operating System Configuration||
If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the
This technique prevents the new user from showing up at the log in screen, but all of the other signs of a new user still exist. The user still gets a home directory and will appear in the authentication logs.