Skip to content

T1564 Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.312

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.4

Item Value
ID T1564
Sub-techniques T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010, T1564.011, T1564.012, T1564.013, T1564.014
Tactics TA0005
Platforms ESXi, Linux, Office Suite, Windows, macOS
Version 1.4
Created 26 February 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0482 Bundlore Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.8
S1066 DarkTortilla DarkTortilla has used %HiddenReg% and %HiddenKey% as part of its persistence via the Windows registry.10
S0402 OSX/Shlayer OSX/Shlayer has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir=”$(mktemp -d /tmp/XXXXXXXXXXXX)” or mktemp -t Installer.786
S1011 Tarrask Tarrask is able to create “hidden” scheduled tasks by deleting the Security Descriptor (SD) registry value.11
S0670 WarzoneRAT WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide its attempts to elevate privileges through IFileOperation.9

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.5
M1013 Application Developer Guidance Application developers should consider limiting the requirements for custom or otherwise difficult to manage file/folder exclusions. Where possible, install applications to trusted system folder paths that are already protected by restricted file and directory permissions.
M1047 Audit Periodically audit virtual machines for abnormalities.
M1033 Limit Software Installation Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it.

References

  1. Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021. 

  2. Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018. 

  3. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. 

  4. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. 

  5. Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024. 

  6. Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021. 

  7. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021. 

  8. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. 

  9. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  10. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  11. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.