Esc
Hidden Users - T1564.002

(ATT&CK® Technique)
Definition

Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1564002["Hidden Users"] --> |modifies| UserInitConfigurationFile["User Init Configuration File"]; class T1564002 OffensiveTechniqueNode;
        class UserInitConfigurationFile ArtifactNode; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile";
        click T1564002 href "/offensive-technique/attack/T1564.002/"; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile";             FileEncryption["File Encryption"] -->
          | encrypts | UserInitConfigurationFile["User Init Configuration File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1564002["Hidden Users"] ;
          class FileEncryption DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | UserInitConfigurationFile["User Init Configuration File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1564002["Hidden Users"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                           FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | UserInitConfigurationFile["User Init Configuration File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1564002["Hidden Users"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";              FileAnalysis["File Analysis"] -->
          | analyzes | UserInitConfigurationFile["User Init Configuration File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1564002["Hidden Users"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | UserInitConfigurationFile["User Init Configuration File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1564002["Hidden Users"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";                           DecoyFile["Decoy File"] -->
          | spoofs | UserInitConfigurationFile["User Init Configuration File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1564002["Hidden Users"] ;
          class DecoyFile DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";              FileEviction["File Eviction"] -->
          | deletes | UserInitConfigurationFile["User Init Configuration File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1564002["Hidden Users"] ;
          class FileEviction DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";              UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -->
          | analyzes | UserInitConfigurationFile["User Init Configuration File"];

          UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -.->
            | may-detect | T1564002["Hidden Users"] ;
          class UserSessionInitConfigAnalysis DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click UserSessionInitConfigAnalysis href "/technique/d3f:UserSessionInitConfigAnalysis";  RestoreFile["Restore File"] -->
          | restores | UserInitConfigurationFile["User Init Configuration File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1564002["Hidden Users"] ;
          class RestoreFile DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";
json