|T1564.001||Hidden Files and Directories|
|T1564.004||NTFS File Attributes|
|T1564.005||Hidden File System|
|T1564.006||Run Virtual Instance|
|T1564.008||Email Hiding Rules|
|T1564.010||Process Argument Spoofing|
|T1564.011||Ignore Process Interrupts|
Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off. These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.
Adversaries may invoke processes using
-ErrorAction SilentlyContinue, or similar commands that may be immune to hangups. This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments, such as
Monitor newly created processes for artifacts, such as