User account in macOS has a userID associated with it. UserID can be specified when creating a user. A property value Hide500Users in /Library/Preferences/com.apple.loginwindow prevents users with userIDs 500 and lower from appearing at the login screen. Adversaries can Create Account with a userID under 500, enable this property and hide their user accounts by using following command:
sudo dscl . -create /Users/username UniqueID 401
Mitigation
Group policy
If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow Hide500Users value will force all users to be visible.
Detection
This technique prevents the new user from showing up at the log in screen, but all of the other signs of a new user still exist. The user still gets a home directory and will appear in the authentication logs.
No comments:
Post a Comment