Hide Artifacts: Hidden Users

Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.

Adversaries may hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.

Technique Identifier

T1564.002

Technique Tags

Defense Evasion HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Dragonfly supress users from login screen

Evasion Categories

Defense Evasion [Mitre]

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Hide Artifacts: Hidden Users, Sub-technique T1564.002 - Enterprise | MITRE ATT&CK®

Created

January 31, 2023

Last Revised

March 24, 2026