Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.[1][2][3]

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.[4]

ID: T1564
Tactic: Defense Evasion
Platforms: Linux, Office 365, Windows, macOS
Version: 1.1
Created: 26 February 2020
Last Modified: 25 March 2022

Procedure Examples

ID Name Description
S0482 Bundlore

Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.[5]

S1066 DarkTortilla

DarkTortilla has used %HiddenReg% and %HiddenKey% as part of its persistence via the Windows registry.[6]

S0402 OSX/Shlayer

OSX/Shlayer has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)" or mktemp -t Installer.[7][5][8]

S1011 Tarrask

Tarrask is able to create "hidden" scheduled tasks by deleting the Security Descriptor (SD) registry value.[9]

S0670 WarzoneRAT

WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it's attempts to elevate privileges through IFileOperation.[10]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0022 File File Creation

Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection.

File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions that may attempt to hide artifacts associated with their behaviors to evade detection.

File Modification

Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0001 Firmware Firmware Modification

Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0009 Process OS API Execution

Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection.

Process Creation

Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

DS0019 Service Service Creation

Monitor for newly constructed services/daemons that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0002 User Account User Account Creation

Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection.

User Account Metadata

Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection.

DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection.

References