AN1002: Analytic 1002
Use of gsettings or direct Display Manager modifications to hide users from greeter login screen. Defender view: anomalous command execution modifying org.gnome.login-screen or other greeter configurations.
Analyst context for executives and security teams
This analytic is about Linux activity that changes GNOME or display-manager login-screen settings so a user is hidden from the graphical greeter. For leaders, the value is not the command itself; it is whether endpoint logging and SOC processes would notice identity-related persistence or concealment on Linux workstations and servers that use graphical login managers.
Executive priority
Prioritize this where Linux endpoints, administrator workstations, kiosks, lab systems, or shared operational systems use graphical login. The business question is whether unauthorized account concealment would be visible during incident response, access reviews, and audit evidence collection. This is a targeted control-validation item for Linux monitoring, identity hygiene, and IR readiness rather than a broad enterprise detection on its own.
Technical view
Validate monitoring for anomalous command execution or configuration changes involving gsettings, org.gnome.login-screen, and other greeter/display-manager configuration locations on Linux. Because ATT&CK provides no tactic, no detection logic, and no relationship context for this analytic, SOC teams should treat it as a detection engineering prompt: confirm which Linux systems run relevant display managers, what normal administrative changes look like, and whether account visibility changes can be tied back to a user, process, host, and change window.
Likely telemetry
- Linux process execution telemetry, especially command line and parent process context
- File or configuration change telemetry for GNOME login-screen and display-manager greeter settings
- Audit logs showing privileged user activity or configuration modification
- Endpoint detection or host audit records from Linux systems with graphical login managers
- Change-management records for legitimate desktop or display-manager configuration updates
Detection direction
- Inventory Linux systems where GNOME or other greeter/display-manager configurations are in use; this analytic is only relevant where those components exist.
- Alert or hunt on unusual use of gsettings or direct modification of login-screen/greeter configuration by unexpected users, processes, or outside approved change windows.
- Tune for legitimate desktop administration, image hardening, kiosk configuration, and helpdesk activity to reduce false positives.
- Correlate configuration changes with account creation, privilege changes, interactive logons, and recent administrative sessions when local telemetry supports it.
- Treat gaps in Linux command-line logging, file integrity monitoring, or auditd-style coverage as material blind spots for this behavior.
Mitigation priorities
- Establish approved baselines for Linux display-manager and greeter configuration on systems where graphical login is used.
- Restrict who can modify login-screen and display-manager settings through least privilege and administrative change control.
- Enable and retain Linux process and configuration-change logging sufficient for incident reconstruction.
- Include hidden or non-displayed local accounts in periodic access reviews rather than relying only on the greeter login screen.
- Document expected configuration exceptions so SOC and IR teams can distinguish authorized hardening from suspicious concealment.
Analyst notes and limits
This object is a detection analytic, not a technique. It applies to Linux and specifically references gsettings, org.gnome.login-screen, and greeter/display-manager configuration changes. No ATT&CK tactics, related techniques, groups, software, mitigations, or official detection text were supplied, so the take focuses on defensive validation and telemetry readiness.
The source provides a short description only and no official detection logic or relationships. Local environment details are required to determine relevance, normal administrative behavior, logging availability, and alert thresholds. This summary does not imply active exploitation, attribution, or existing detection coverage.
Analytic 1002
Use of gsettings or direct Display Manager modifications to hide users from greeter login screen. Defender view: anomalous command execution modifying org.gnome.login-screen or other greeter configurations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3e198da9e955… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.