title: Hidden Users (T1564.002)
id: df00tech-t1564-002
status: experimental
description: "Adversaries may use hidden users to hide the presence of user accounts they create or modify. On Windows, accounts can be hidden from the login screen by setting a registry value under HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList with a DWORD value of 0 for the username. On macOS, adversaries can set a user's UID below 500 or set a UserShell property to /usr/bin/false to hide them. Threat actors including Dragonfly, Kimsuky, and SMOKEDHAM malware use hidden user accounts for persistent backdoor access."
references:
  - https://attack.mitre.org/techniques/T1564/002/
  - https://df00tech.com/detections/T1564.002
author: df00tech
date: 2026/04/21
tags:
  - attack.t1564.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Administrators configuring service accounts that should not appear on the login screen for security reasons
  - "Enterprise management tools (SCCM, MDM solutions) that create management accounts hidden from regular login screens"
  - Built-in Windows service accounts that are legitimately hidden via the SpecialAccounts mechanism
  - IT staff creating dedicated administrator accounts that should not be visible to standard users
level: high