Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
There is a property value in <code>/Library/Preferences/com.apple.loginwindow</code> called <code>Hide500Users</code> that prevents users with userIDs 500 and lower from appearing at the login screen. When using the Create Account technique with a userID under 500 (ex: <code>sudo dscl . -create /Users/username UniqueID 401</code>) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-6 | Configuration Settings | Protects | T1564.002 | Hidden Users |
| CM-7 | Least Functionality | Protects | T1564.002 | Hidden Users |
| SI-4 | System Monitoring | Protects | T1564.002 | Hidden Users |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1564.002 | Hide Artifacts: Hidden Users |