Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.[1][2][3]

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.[4]

ID: T1564
Tactic: Defense Evasion
Platforms: Linux, Office 365, Windows, macOS
Version: 1.1
Created: 26 February 2020
Last Modified: 25 March 2022

Procedure Examples

ID Name Description
S0482 Bundlore

Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.[5]

S0402 OSX/Shlayer

OSX/Shlayer uses the mktemp utility to make random and unique filenames for payloads, such as export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)" or mktemp -t Installer.[6][5][7]

S0670 WarzoneRAT

WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it's attempts to elevate privileges through IFileOperation.[8]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0022 File File Creation
File Metadata
File Modification
DS0001 Firmware Firmware Modification
DS0009 Process OS API Execution
Process Creation
DS0012 Script Script Execution
DS0019 Service Service Creation
DS0002 User Account User Account Creation
User Account Metadata
DS0024 Windows Registry Windows Registry Key Modification

Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.