T1564.002 - Hidden Users
Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.There is a property value in
/Library/Preferences/com.apple.loginwindowcalledHide500Usersthat prevents users with userIDs 500 and lower from appearing at the login screen. When using the Create Account technique with a userID under 500 (ex:sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit).
Atomic Test #1 - Create Hidden User using UniqueID < 500
Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default)
Supported Platforms: macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_name | username to add | string | APT |
sudo dscl . -create /Users/#{user_name} UniqueID 333sudo dscl . -delete /Users/#{user_name}Atomic Test #2 - Create Hidden User using IsHidden option
Add a hidden user on macOS using IsHidden optoin
Supported Platforms: macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_name | username to add | string | APT |
sudo dscl . -create /Users/#{user_name} IsHidden 1sudo dscl . -delete /Users/#{user_name}