security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1147/T1147.md
T
CircleCI Atomic Red Team doc generator 499c751bcc Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00

1.2 KiB
Raw Blame History

T1147 - Hidden Users

Description from ATT&CK

Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. By using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: sudo dscl . -create /Users/username UniqueID 401 (Citation: Cybereason OSX Pirrit).

Atomic Tests


Atomic Test #1 - Hidden Users

Add a hidden user on MacOS

Supported Platforms: macOS

Inputs

Name Description Type Default Value
user_name username to add string APT

Run it with sh!

sudo dscl . -create /Users/#{user_name} UniqueID 333

Reference in New Issue View Git Blame Copy Permalink