Hide Artifacts: Hidden Users

Other sub-techniques of Hide Artifacts (14)

ID	Name
ATAGS-T1096.001	Bind Mounts
ATAGS-T1096.002	Email Hiding Rules
ATAGS-T1096.003	Extended Attributes
ATAGS-T1096.004	File/Path Exclusions
ATAGS-T1096.005	Hidden File System
ATAGS-T1096.006	Hidden Files and Directories
ATAGS-T1096.007	Hidden Users
ATAGS-T1096.008	Hidden Window
ATAGS-T1096.009	Ignore Process Interrupts
ATAGS-T1096.010	NTFS File Attributes
ATAGS-T1096.011	Process Argument Spoofing
ATAGS-T1096.012	Resource Forking
ATAGS-T1096.013	Run Virtual Instance
ATAGS-T1096.014	VBA Stomping

Threat Actors may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.

ID: ATAGS-T1096.007

Sub-technique of: ATAGS-T1096

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.