EXPLORE
Sign In
← Back to Explore
T1564.002

Hidden Users

Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users. In macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adv...

macOSWindowsLinux
8
Detections
2
Sources
2
Threat Actors

BY SOURCE

4elastic4sigma

PROCEDURES (6)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Registry1 detections

Auto-extracted: 1 detections for registry

Registry1 detections

Auto-extracted: 1 detections for registry

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

THREAT ACTORS (2)

DragonflyKimsuky

DETECTIONS (8)

Creation of a Hidden Local User Account
elastichigh
Hidden User Creation
sigmamedium
Hiding User Account Via SpecialAccounts Registry Key
sigmahigh
Hiding User Account Via SpecialAccounts Registry Key - CommandLine
sigmamedium
Potential Hidden Local User Account Creation
elasticmedium
Potential Suspicious Activity Using SeCEdit
sigmamedium
Unusual Interactive Shell Launched from System User
elasticmedium
Unusual Login via System User
elasticmedium