Skip to content

T1564 Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.123

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.4

Item Value
ID T1564
Sub-techniques T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010
Tactics TA0005
Platforms Linux, Office 365, Windows, macOS
Version 1.1
Created 26 February 2020
Last Modified 25 March 2022

Procedure Examples

ID Name Description
S0482 Bundlore Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.5
S1066 DarkTortilla DarkTortilla has used %HiddenReg% and %HiddenKey% as part of its persistence via the Windows registry.6
S0402 OSX/Shlayer OSX/Shlayer has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir=”$(mktemp -d /tmp/XXXXXXXXXXXX)” or mktemp -t Installer.958
S1011 Tarrask Tarrask is able to create “hidden” scheduled tasks by deleting the Security Descriptor (SD) registry value.10
S0670 WarzoneRAT WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it’s attempts to elevate privileges through IFileOperation.7


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0022 File File Creation
DS0001 Firmware Firmware Modification
DS0009 Process OS API Execution
DS0012 Script Script Execution
DS0019 Service Service Creation
DS0002 User Account User Account Creation
DS0024 Windows Registry Windows Registry Key Modification