Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| PUR-AS-E5 | Audit Solutions | Technique Scores | T1564 | Hide Artifacts |
| EOP-MFR-E3 | Mail Flow Rules | Technique Scores | T1564 | Hide Artifacts |
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1564 | Hide Artifacts |
| DEF-IR-E5 | Incident Response | Technique Scores | T1564 | Hide Artifacts |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1564.008 | Email Hiding Rules | 12 |
| T1564.002 | Hidden Users | 3 |
| T1564.009 | Resource Forking | 13 |
| T1564.006 | Run Virtual Instance | 7 |
| T1564.007 | VBA Stomping | 4 |
| T1564.003 | Hidden Window | 3 |
| T1564.004 | NTFS File Attributes | 6 |
| T1564.010 | Process Argument Spoofing | 3 |