Description
Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
In macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value Hide500Users to TRUE in the /Library/Preferences/com.apple.loginwindow plist file.(Citation: Cybereason OSX Pirrit) Every user has a userID associated with it. When the Hide500Users key value is set to TRUE, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the dscl utility to create hidden user accounts by setting the IsHidden attribute to 1. Adversaries can also hide a user’s home folder by changing the chflags to hidden.(Citation: Apple Support Hide a User Account)
Adversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)
On Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the gsettings command (ex: sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true).(Citation: Hide GDM User Accounts) Display Managers are not anchored to specific distributions and may be changed by a user or adversary.
Platforms
Mitigations (1)
Operating System ConfigurationM1028
If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow Hide500Users value will force all users to be visible.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has modified the Registry to hide created user accounts.(Citation: US-CERT TA18-074A) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has run <code>reg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Use... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0649 | SMOKEDHAM | Malware | [SMOKEDHAM](https://attack.mitre.org/software/S0649) has modified the Registry to hide created user accounts from the Windows logon screen. (Citation:... |
References
- Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.
- Apple. (2020, November 30). Hide a user account in macOS. Retrieved December 10, 2021.
- FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
- Ji Mingkui. (2021, June 17). How to Hide All The User Accounts in Ubuntu 20.04, 21.04 Login Screen. Retrieved March 15, 2022.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
Frequently Asked Questions
What is T1564.002 (Hidden Users)?
T1564.002 is a MITRE ATT&CK technique named 'Hidden Users'. It belongs to the Stealth tactic(s). Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want...
How can T1564.002 be detected?
Detection of T1564.002 (Hidden Users) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1564.002?
There are 1 documented mitigations for T1564.002. Key mitigations include: Operating System Configuration.
Which threat groups use T1564.002?
Known threat groups using T1564.002 include: Dragonfly, Kimsuky.