Hidden Users

Information

• Name: Hidden Users

• ID: T1564.002

• Tactics: TA0005

• Technique: T1564

Introduction

Hidden Users (T1564.002) is a sub-technique within MITRE ATT&CK's "Hide Artifacts" technique (T1564). Attackers leverage this method to conceal unauthorized user accounts or manipulate existing user accounts to remain undetected within compromised systems. By hiding user accounts, adversaries can maintain persistent access, evade detection from security personnel or automated monitoring, and prolong their operational presence within the targeted environment.

Deep Dive Into Technique

Hidden Users involve the deliberate concealment or obfuscation of user accounts on compromised systems. Attackers achieve this through various technical methods, depending on the operating system and environment:

• Windows Systems:

  • Manipulation of registry keys, especially the SpecialAccounts registry key (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList), to hide user accounts from login screens and user management interfaces.

  • Creation of user accounts with names resembling legitimate system accounts (e.g., "DefaultAccount," "WDAGUtilityAccount") to blend in with standard users.

  • Modification of security descriptors or permissions to restrict visibility of the account from standard administrative tools and interfaces.

  • Using command-line tools such as net user username /active:no to disable visibility of accounts at login screens.

  • Injecting user accounts directly into system files or directories to evade standard enumeration tools.

• Linux/Unix Systems:

  • Creating user accounts with User IDs (UID) below 1000 to mimic system accounts, thus hiding them from standard user listings.

  • Editing /etc/passwd and /etc/shadow files to manipulate user entries, making them harder to detect.

  • Prefixing usernames with periods (.) or spaces to obscure their visibility in standard command outputs.

  • Modifying binaries such as who, w, lastlog, or utmp to prevent enumeration of specific user accounts.

  • Using rootkits or Loadable Kernel Modules (LKMs) to intercept system calls and hide certain user accounts from administrative tools.

Attackers may combine these techniques with other persistence mechanisms, such as scheduled tasks, startup scripts, or malicious services, to ensure continued access to the compromised host.

When this Technique is Usually Used

Hidden Users are typically employed during specific stages and scenarios within an attack lifecycle:

• Persistence Stage: Attackers establish hidden user accounts to maintain long-term access to compromised systems, even after initial entry vectors are remediated.

• Privilege Escalation and Credential Access: Hidden accounts may be created after successful privilege escalation to preserve elevated privileges without detection.

• Defense Evasion: Concealing user accounts allows adversaries to evade detection by endpoint security solutions, system administrators, or incident response teams actively monitoring user account activities.

• Lateral Movement: Attackers may use hidden accounts to move laterally within an environment, accessing additional resources unnoticed.

• Advanced Persistent Threat (APT) Operations: Nation-state actors frequently use hidden user accounts as part of their long-term espionage campaigns to maintain stealthy and persistent access.

How this Technique is Usually Detected

Detecting hidden users requires proactive monitoring, advanced detection tools, and diligent administrative practices:

• User Account Auditing:

  • Regularly audit user accounts and group memberships on all systems.

  • Compare current user accounts against known baseline configurations to identify unauthorized or suspicious accounts.

  • Monitor registry keys (Windows) and system files (/etc/passwd, /etc/shadow, /etc/group on Linux) for unauthorized changes.

• Endpoint Detection and Response (EDR) Solutions:

  • Deploy EDR tools capable of detecting anomalous account creation, modification, or deletion events.

  • Configure alerts for suspicious user account creation patterns, such as accounts with system-level naming conventions or accounts created during unusual hours.

• Log Monitoring and Analysis:

  • Continuously monitor and analyze security logs, Windows Event Logs (Event IDs 4720, 4722, 4738), and Linux audit logs (/var/log/auth.log, /var/log/secure) for suspicious account-related activities.

  • Look for anomalies in login attempts, successful logins from hidden accounts, or failed login attempts from unexpected accounts.

• Integrity Checking and Rootkit Detection:

  • Use file integrity monitoring (FIM) tools to detect unauthorized modifications to critical system files and binaries.

  • Employ rootkit detection tools such as Rootkit Hunter (rkhunter), chkrootkit, or OSSEC to detect hidden accounts and malicious kernel modules.

Indicators of Compromise (IoCs)

• Unusual or unauthorized user accounts with system-like naming conventions.

• Hidden registry entries under SpecialAccounts registry keys (Windows).

• User accounts with UID/GID below 1000 or unusual home directories (/dev/null, /var/tmp).

• Modified system binaries (who, w, lastlog) or discrepancies between /etc/passwd and /etc/shadow.

Why it is Important to Detect This Technique

Early detection of hidden user accounts is critical due to their significant potential impact on organizational security:

• Prolonged Persistence: Hidden accounts enable attackers to maintain persistent, long-term access, even after initial compromise vectors are remediated.

• Elevated Privileges and Credential Theft: Hidden accounts may possess administrative privileges, allowing attackers to escalate privileges, access sensitive data, or perform unauthorized actions.

• Stealthy Reconnaissance and Data Exfiltration: Attackers can quietly move laterally, conduct reconnaissance, and exfiltrate sensitive information without arousing suspicion.

• Increased Difficulty of Remediation: Undetected hidden accounts complicate incident response, remediation, and forensic investigations, leading to extended downtime and increased costs.

• Compliance and Regulatory Risks: Failure to detect unauthorized accounts may lead to compliance violations, regulatory fines, or legal consequences.

Detecting hidden user accounts promptly reduces the attackers' dwell time, mitigates potential damage, and significantly improves an organization's overall security posture.

Examples

Real-world examples illustrating the use of hidden user accounts include:

• APT29 (Cozy Bear):

  • Known to create hidden user accounts on compromised Windows systems, leveraging registry manipulation and obscure naming conventions to blend in with legitimate system accounts.

  • Utilized hidden accounts for persistent, stealthy access during espionage campaigns targeting government and private organizations.

• Carbanak Group:

  • Created hidden administrative accounts on compromised banking infrastructure, enabling persistent access and prolonged data theft operations.

  • Used hidden accounts to evade detection, conduct lateral movement, and exfiltrate financial data over extended periods.

• Operation ShadowHammer (ASUS Supply Chain Attack):

  • Attackers created hidden user accounts on compromised ASUS laptops, enabling persistent access to targeted systems.

  • Leveraged hidden accounts to conduct reconnaissance, lateral movement, and targeted data exfiltration.

• Rootkits and Kernel-Level Malware:

  • Linux rootkits such as Adore-NG, Azazel, and Diamorphine commonly hide user accounts by intercepting system calls and manipulating system files to evade detection.

  • These rootkits provide attackers with persistent, stealthy access to compromised Linux servers for extended periods.

These examples highlight the versatility, effectiveness, and widespread use of hidden user accounts across diverse threat actors, industries, and attack scenarios.