1. Home
  2. ATT&CK Techniques
  3. T1564 Hide Artifacts

T1564 Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.08 End-user device access Mitigates T1564 Hide Artifacts
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
    PR.PS-01.01 Configuration baselines Mitigates T1564 Hide Artifacts
    Comments
    This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
    References
      PR.PS-06.01 Secure SDLC process Mitigates T1564 Hide Artifacts
      Comments
      This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions.
      References
        PR.PS-01.03 Configuration deviation Mitigates T1564 Hide Artifacts
        Comments
        This diagnostic statement provides protection from Hide Artifacts through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
        References
          PR.PS-01.08 End-user device protection Mitigates T1564 Hide Artifacts
          Comments
          This diagnostic statement protects against Hide Artifacts through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
          References
            PR.PS-06.07 Development and operational process alignment Mitigates T1564 Hide Artifacts
            Comments
            This diagnostic statement protects against Hide Artifacts through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
            References

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1564 Hide Artifacts
              action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
              action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts
              action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1564 Hide Artifacts

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1564 Hide Artifacts
              Comments
              This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate some of the sub-techniques of this technique. Due to its partial coverage and Minimal score assessed for its sub-techniques, its score is assessed as Minimal.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-ai
              alerts_for_linux_machines Alerts for Linux Machines technique_scores T1564 Hide Artifacts
              Comments
              This control only provides coverage for a minority of this technique's relevant sub-techniques, resulting in a score of Minimal.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-linux
              alerts_for_windows_machines Alerts for Windows Machines technique_scores T1564 Hide Artifacts
              Comments
              This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
              References
              1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
              2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              google_secops Google Security Operations technique_scores T1564 Hide Artifacts
              Comments
              Google Security Ops is able to trigger an alert based on processes, such as hidden artifacts. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/abusing_attrib_exe_to_change_file_attributes.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/hiding_files_with_attrib_exe.yaral
              References
              1. ['https://cloud.google.com/security/products/security-operations'
              2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
              3. 'https://github.com/chronicle/detection-rules']

              ATT&CK Subtechniques

              Technique ID Technique Name Number of Mappings
              T1564.012 File/Path Exclusions 9
              T1564.008 Email Hiding Rules 9
              T1564.011 Ignore Process Interrupts 3
              T1564.002 Hidden Users 10
              T1564.009 Resource Forking 18
              T1564.006 Run Virtual Instance 14
              T1564.007 VBA Stomping 9
              T1564.003 Hidden Window 8
              T1564.005 Hidden File System 5
              T1564.001 Hidden Files and Directories 7
              T1564.004 NTFS File Attributes 10
              T1564.010 Process Argument Spoofing 3