Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1564 | Hide Artifacts | |
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1564 | Hide Artifacts | |
| action.malware.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1564 | Hide Artifacts | |
| action.social.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1564 | Hide Artifacts |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1564 | Hide Artifacts |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate some of the sub-techniques of this technique. Due to its partial coverage and Minimal score assessed for its sub-techniques, its score is assessed as Minimal.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1564 | Hide Artifacts |
Comments
This control only provides coverage for a minority of this technique's relevant sub-techniques, resulting in a score of Minimal.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1564 | Hide Artifacts |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1564 | Hide Artifacts |
Comments
Google Security Ops is able to trigger an alert based on processes, such as hidden artifacts.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/abusing_attrib_exe_to_change_file_attributes.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/hiding_files_with_attrib_exe.yaral
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1564.012 | File/Path Exclusions | 4 |
| T1564.008 | Email Hiding Rules | 9 |
| T1564.011 | Ignore Process Interrupts | 3 |
| T1564.002 | Hidden Users | 7 |
| T1564.009 | Resource Forking | 16 |
| T1564.006 | Run Virtual Instance | 13 |
| T1564.007 | VBA Stomping | 9 |
| T1564.003 | Hidden Window | 8 |
| T1564.005 | Hidden File System | 5 |
| T1564.001 | Hidden Files and Directories | 7 |
| T1564.004 | NTFS File Attributes | 10 |
| T1564.010 | Process Argument Spoofing | 3 |