T1564 Hide Artifacts
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.123
Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.4
| Item | Value |
|---|---|
| ID | T1564 |
| Sub-techniques | T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010 |
| Tactics | TA0005 |
| Platforms | Linux, Office 365, Windows, macOS |
| Version | 1.1 |
| Created | 26 February 2020 |
| Last Modified | 25 March 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0482 | Bundlore | Bundlore uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.5 |
| S1066 | DarkTortilla | DarkTortilla has used %HiddenReg% and %HiddenKey% as part of its persistence via the Windows registry.6 |
| S0402 | OSX/Shlayer | OSX/Shlayer has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir=”$(mktemp -d /tmp/XXXXXXXXXXXX)” or mktemp -t Installer.958 |
| S1011 | Tarrask | Tarrask is able to create “hidden” scheduled tasks by deleting the Security Descriptor (SD) registry value.10 |
| S0670 | WarzoneRAT | WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide it’s attempts to elevate privileges through IFileOperation.7 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0017 | Command | Command Execution |
| DS0022 | File | File Creation |
| DS0001 | Firmware | Firmware Modification |
| DS0009 | Process | OS API Execution |
| DS0012 | Script | Script Execution |
| DS0019 | Service | Service Creation |
| DS0002 | User Account | User Account Creation |
| DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. ↩
-
Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021. ↩
-
Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018. ↩
-
SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. ↩
-
Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. ↩↩
-
Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. ↩
-
Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. ↩
-
Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021. ↩
-
Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021. ↩
-
Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. ↩