Hide Artifacts: Hidden Users

Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.

In macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the Create Account technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. [1]

In Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via Reg or other means) that will hide the user "test" from the Windows login screen: reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.[2][3]

ID: T1564.002
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: Windows, macOS
Permissions Required: Administrator, root
Contributors: Omkar Gudhate
Version: 1.1
Created: 13 March 2020
Last Modified: 14 October 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
G0074 Dragonfly 2.0

Dragonfly 2.0 modified the Registry to hide create user accounts. [3]

S0649 SMOKEDHAM

SMOKEDHAM has modified the Registry to hide created user accounts from the Windows logon screen. [2]

Mitigations

ID Mitigation Description
M1028 Operating System Configuration

If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow Hide500Users value will force all users to be visible.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0009 Process Process Creation
DS0002 User Account User Account Creation
User Account Metadata
DS0024 Windows Registry Windows Registry Key Modification

This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, "hidden" users may still get a home directory and will appear in the authentication logs.

Monitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsUserList key.

References