1. Home
  2. Techniques
  3. Enterprise
  4. Hide Artifacts

Hide Artifacts

ID Name
T1564.001 Hidden Files and Directories
T1564.002 Hidden Users
T1564.003 Hidden Window
T1564.004 NTFS File Attributes
T1564.005 Hidden File System
T1564.006 Run Virtual Instance
T1564.007 VBA Stomping
T1564.008 Email Hiding Rules
T1564.009 Resource Forking
T1564.010 Process Argument Spoofing

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.[1][2][3]

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.[4]

ID: T1564
Sub-techniques:  T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010
Tactic: Defense Evasion
Platforms: Linux, Office 365, Windows, macOS
Version: 1.1
Created: 26 February 2020
Last Modified: 25 March 2022

Procedure Examples

ID Name Description
S0482 Bundlore

Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.[5]
S0402 OSX/Shlayer

OSX/Shlayer uses the mktemp utility to make random and unique filenames for payloads, such as export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)" or mktemp -t Installer.[6][5][7]
S0670 WarzoneRAT

WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it's attempts to elevate privileges through IFileOperation.[8]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0022 File File Creation
File Metadata
File Modification
DS0001 Firmware Firmware Modification
DS0009 Process OS API Execution
Process Creation
DS0012 Script Script Execution
DS0019 Service Service Creation
DS0002 User Account User Account Creation
User Account Metadata
DS0024 Windows Registry Windows Registry Key Modification

Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.

References

  1. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  2. Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.
  3. Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.
  4. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  1. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  2. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
  3. Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021.
  4. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.