Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.[1][2][3]

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.[4]

ID: T1564
Tactic: Defense Evasion
Platforms: Linux, Office Suite, Windows, macOS
Version: 1.3
Created: 26 February 2020
Last Modified: 15 October 2024

Procedure Examples

ID Name Description
S0482 Bundlore

Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.[5]

S1066 DarkTortilla

DarkTortilla has used %HiddenReg% and %HiddenKey% as part of its persistence via the Windows registry.[6]

S0402 OSX/Shlayer

OSX/Shlayer has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)" or mktemp -t Installer.[7][5][8]

S1011 Tarrask

Tarrask is able to create "hidden" scheduled tasks by deleting the Security Descriptor (SD) registry value.[9]

S0670 WarzoneRAT

WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide its attempts to elevate privileges through IFileOperation.[10]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.[11]

M1013 Application Developer Guidance

Application developers should consider limiting the requirements for custom or otherwise difficult to manage file/folder exclusions. Where possible, install applications to trusted system folder paths that are already protected by restricted file and directory permissions.

M1033 Limit Software Installation

Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0022 File File Creation

Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection.

File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions that may attempt to hide artifacts associated with their behaviors to evade detection.

File Modification

Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0001 Firmware Firmware Modification

Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0009 Process OS API Execution

Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection.

Process Creation

Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

DS0019 Service Service Creation

Monitor for newly constructed services/daemons that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0002 User Account User Account Creation

Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection.

User Account Metadata

Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection.

References