AN1003: Analytic 1003
User creation or modification via dscl with IsHidden=1, UID<500, or plist edits to com.apple.loginwindow Hide500Users flag. Defender view: correlation of hidden account attributes with login screen exclusion.
Analyst context for executives and security teams
This analytic matters because hidden macOS accounts can undermine normal identity governance and incident response visibility. The ATT&CK object focuses on signs that an account has been created or modified to avoid appearing on the login screen, such as hidden-account attributes, low UID values, or loginwindow plist settings. For leaders, the decision point is whether macOS endpoint visibility and account review processes can prove that local accounts are expected, visible to administrators, and investigated when intentionally hidden.
Executive priority
Prioritize this as a macOS identity and endpoint governance check. It supports questions executives and security leaders should ask during resilience, audit, and incident readiness reviews: do we inventory local macOS accounts, can the SOC detect account hiding indicators, and can IR quickly distinguish approved administrative configuration from suspicious persistence or access concealment? The supplied object is a detection analytic, not evidence of active exploitation or specific threat activity.
Technical view
For SOC, detection engineering, and IR teams, validate coverage for macOS account creation or modification events where hidden account attributes are present, including IsHidden=1, UID values below 500, or edits to the com.apple.loginwindow Hide500Users flag. Because no ATT&CK tactic or formal detection logic is supplied, teams should treat this as an analytic requirement and test whether endpoint telemetry, configuration monitoring, and account inventory can correlate hidden-account attributes with login screen exclusion.
Likely telemetry
- macOS local account inventory and attribute data
- Endpoint telemetry for account creation and account modification on macOS
- Command or process telemetry involving dscl where available
- File or configuration monitoring for plist changes related to com.apple.loginwindow
- Administrative change records explaining approved hidden or service accounts
Detection direction
- Validate that detections correlate account attributes with login screen exclusion rather than alerting on a single weak signal alone.
- Tune for legitimate administrative or service-account use cases, especially where low UID values or hidden users may be expected by policy.
- Confirm whether telemetry captures both command-driven changes and plist/configuration edits; otherwise, detection may miss non-command-line modifications.
- Use local asset context to identify which macOS systems should allow hidden accounts and which should not.
- Document alert triage steps for verifying account owner, purpose, creation time, and approval status.
Mitigation priorities
- Establish and enforce policy for approved local macOS accounts, including whether hidden accounts are permitted.
- Maintain an inventory of local accounts and periodically review hidden-account indicators.
- Restrict and monitor administrative rights capable of modifying local account attributes or loginwindow settings.
- Ensure endpoint logging and configuration monitoring are enabled where macOS systems are in scope.
- Include hidden local account checks in incident response collection and compliance evidence procedures.
Analyst notes and limits
This take is based only on ATT&CK analytic AN1003. The object identifies macOS-specific indicators involving dscl, IsHidden=1, UID<500, and com.apple.loginwindow Hide500Users. No relationships, tactics, adversary context, or official detection logic were supplied, so recommendations are framed as validation and control priorities rather than confirmed ATT&CK coverage.
The supplied ATT&CK fields do not provide detection syntax, data source mappings, false-positive examples, affected tactics, related techniques, or threat actor relationships. Local macOS administration practices are required to determine whether hidden accounts are authorized or suspicious.
Analytic 1003
User creation or modification via dscl with IsHidden=1, UID<500, or plist edits to com.apple.loginwindow Hide500Users flag. Defender view: correlation of hidden account attributes with login screen exclusion.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 20176a421903… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.