T1564.002
Hide Artifacts: Hidden Users
Description from ATT&CK
Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
In macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value
Hide500UserstoTRUEin the/Library/Preferences/com.apple.loginwindowplist file.(Citation: Cybereason OSX Pirrit) Every user has a userID associated with it. When theHide500Userskey value is set toTRUE, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use thedsclutility to create hidden user accounts by setting theIsHiddenattribute to1. Adversaries can also hide a user’s home folder by changing thechflagsto hidden.(Citation: Apple Support Hide a User Account)Adversaries may similarly hide user accounts in Windows. Adversaries can set the
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListRegistry key value to0for a specific user to prevent that user from being listed on the logon screen.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)On Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the
gsettingscommand (ex:sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true).(Citation: Hide GDM User Accounts) Display Managers are not anchored to specific distributions and may be changed by a user or adversary.
Atomic Tests
- Atomic Test #1: Create Hidden User using UniqueID < 500
- Atomic Test #2: Create Hidden User using IsHidden option
- Atomic Test #3: Create Hidden User in Registry
Atomic Test #1: Create Hidden User using UniqueID < 500
Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default)
Supported Platforms: macOS
auto_generated_guid: 4238a7f0-a980-4fff-98a2-dfc0a363d507
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_name | username to add | string | APT |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
sudo dscl . -create /Users/#{user_name} UniqueID 333Cleanup Commands
sudo dscl . -delete /Users/#{user_name}Atomic Test #2: Create Hidden User using IsHidden option
Add a hidden user on macOS using IsHidden optoin
Supported Platforms: macOS
auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_name | username to add | string | APT |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
sudo dscl . -create /Users/#{user_name} IsHidden 1Cleanup Commands
sudo dscl . -delete /Users/#{user_name}Atomic Test #3: Create Hidden User in Registry
Adversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen. Reference https://attack.mitre.org/techniques/T1564/002/ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
Supported Platforms: Windows
auto_generated_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_password | Password for new user account | string | At0micRedTeam! |
| user_name | Username | string | AtomicOperator |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
NET USER #{user_name}$ #{user_password} /ADD /expires:never
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v #{user_name}$ /t REG_DWORD /d 0Cleanup Commands
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v #{user_name}$ /f >nul 2>&1
net user ${user_name}$ /delete >nul 2>&1Atomic test(s) for this technique last updated: 2023-02-13 23:10:37 UTC