T1564 Hide Artifacts Mappings

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564 Hide Artifacts
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1564.008 Email Hiding Rules 8
T1564.002 Hidden Users 7
T1564.009 Resource Forking 13
T1564.006 Run Virtual Instance 11
T1564.007 VBA Stomping 9
T1564.003 Hidden Window 7
T1564.005 Hidden File System 4
T1564.001 Hidden Files and Directories 4
T1564.004 NTFS File Attributes 10
T1564.010 Process Argument Spoofing 3