Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the matter attack framework discussion. Today we're going to be looking at hidden users,
00:10
so the objectives are pretty straight forward. We're going to describe what hidden users are, especially within the Mac OS, and essentially, how you can create one. What are some mitigation techniques and then some detection techniques? So let's go ahead and jump right in.
00:27
So in minder, it discusses Mac OS and a user I D essentially is associated with every account. So when a user is made, you can specify the user i d. For the account. So in preferences, there's ah, directory where there's a property value and in calm down apple, not long and window.
00:46
It's called Hide 500 users,
00:49
and this keeps user ID's 500 lower hidden so you can create an account using this technique and put it under 500. The user i D. With that property enabled, it will hide the user account
01:04
until the command syntax looks like this. So you would do sudo
01:10
de SCL dot dash, create users and then the user name and provide a unique I D. That is under 500. So in this case, that's my five under 500 it will hide the account. Now.
01:25
There are some mitigation techniques that we can apply here. So if the system is domain join,
01:30
then you could use group policy to restrict the ability to create or hide users. You can also prevent modification of the Hide 500 users value. Now let's say that you don't do those things, though, but you want to know if a hidden user is on a system.
01:46
Well, if the user account longs in, even though it may be hidden, it still creates a home directory
01:52
and will appear in a thin occassion logs. And so even though the user account is on the surface not visible, they wouldn't be visible to a standard in user if they were trying to, you know, if they weren't looking for it, then they probably won't see it at all. But if they did see it, they may not put two and two together.
02:09
So essentially you could look in these locations to see if there may be hidden users in your network.
02:15
Now, a quick check on learning true or false hidden users cannot be detected on a system.
02:23
All right, well, if you need some additional town, please pause the video. Now this is a false statement, as we just said in, and users can be detected on a system they're just not seen from the long and screen or from a point where and in user might be able to see. But their home directories and things of that nature are still created.
02:42
So in summary of this particular piece,
02:45
we described hidden users. They're essentially users that are not
02:49
visible when you're longing in or getting on a system. But you can have other areas, such as home directors, where they can be seen mitigation techniques that included limiting the availability of users to create
03:01
accounts or hidden accounts, and the ability to manipulate the hide 500 users value. And then we reviewed some detection techniques, such as looking for the home directory and authentication longs associated with user accounts that maybe aren't readily visible. So with that in mind, I want to thank you for your time today,
03:22
and I look forward to seeing you again soon

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor