security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1147/T1147.md
T
CircleCI Atomic Red Team doc generator 499c751bcc Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00

31 lines
1.2 KiB
Markdown
Raw Blame History

# T1147 - Hidden Users
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1147)
<blockquote>Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in <code>/Library/Preferences/com.apple.loginwindow</code> called <code>Hide500Users</code> that prevents users with userIDs 500 and lower from appearing at the login screen. By using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: <code>sudo dscl . -create /Users/username UniqueID 401</code> (Citation: Cybereason OSX Pirrit).</blockquote>
## Atomic Tests
- [Atomic Test #1 - Hidden Users](#atomic-test-1---hidden-users)
<br/>
## Atomic Test #1 - Hidden Users
Add a hidden user on MacOS
**Supported Platforms:** macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username to add | string | APT|
#### Run it with `sh`!
```
sudo dscl . -create /Users/#{user_name} UniqueID 333
```
<br/>
Reference in New Issue View Git Blame Copy Permalink