Description
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)
Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
Platforms
Sub-Techniques (14)
Hidden Files and Directories
T1564.002Hidden Users
T1564.003Hidden Window
T1564.004NTFS File Attributes
T1564.005Hidden File System
T1564.006Run Virtual Instance
T1564.007VBA Stomping
T1564.008Email Hiding Rules
T1564.009Resource Forking
T1564.010Process Argument Spoofing
T1564.011Ignore Process Interrupts
T1564.012File/Path Exclusions
T1564.013Bind Mounts
T1564.014Extended Attributes
Mitigations (4)
Limit Software InstallationM1033
Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it.
Application Developer GuidanceM1013
Application developers should consider limiting the requirements for custom or otherwise difficult to manage file/folder exclusions. Where possible, install applications to trusted system folder paths that are already protected by restricted file and directory permissions.
AuditM1047
Periodically audit virtual machines for abnormalities.
Antivirus/AntimalwareM1049
Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.(Citation: Microsoft File Folder Exclusions)
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S0402 | OSX/Shlayer | Malware | [OSX/Shlayer](https://attack.mitre.org/software/S0402) has used the <code>mktemp</code> utility to make random and unique filenames for payloads, such... |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) uses the <code>mktemp</code> utility to make unique file and directory names for payloads, such as... |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) can masquerade the Process Environment Block on a compromised host to hide its attempts to eleva... |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) has used `%HiddenReg%` and `%HiddenKey%` as part of its persistence via the Windows registry.(... |
| S0332 | Remcos | Tool | [Remcos](https://attack.mitre.org/software/S0332) can modify file attributes to hide the file.(Citation: Fortinet Remcos Campaign NOV 2024) |
| S1011 | Tarrask | Malware | [Tarrask](https://attack.mitre.org/software/S1011) is able to create “hidden” scheduled tasks by deleting the Security Descriptor (`SD`) registry valu... |
| S9025 | NOOPLDR | Malware | [NOOPLDR](https://attack.mitre.org/software/S9025) can hide services used to aid execution.(Citation: JPCERT MirrorFace JUL 2024) |
References
- Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.
- Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
Frequently Asked Questions
What is T1564 (Hide Artifacts)?
T1564 is a MITRE ATT&CK technique named 'Hide Artifacts'. It belongs to the Stealth tactic(s). Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administ...
How can T1564 be detected?
Detection of T1564 (Hide Artifacts) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1564?
There are 4 documented mitigations for T1564. Key mitigations include: Limit Software Installation, Application Developer Guidance, Audit, Antivirus/Antimalware.
Which threat groups use T1564?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.