MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1564: Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_execution: PT-CR-777: Hidden_Scheduled_Task: A hidden scheduled task creation or a hidden modification of an existing scheduled task has been detected without being written to the Windows event log. Creating a task or modifying it can be done directly in the registry, without using the Windows Task Scheduler
mysql_database: PT-CR-619: MySQL_audit_table_modify: An attempt to modify an audit table is detected
mysql_database: PT-CR-621: MySQL_audit_table_rename: An attempt to rename an audit table is detected

Detection

IDDS0002Data source and componentUser Account: User Account MetadataDescription

Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0001Data source and componentFirmware: Firmware ModificationDescription

Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Monitor for third-party application logging, messaging, and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0002Data source and componentUser Account: User Account CreationDescription

Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0022Data source and componentFile: File CreationDescription

Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0019Data source and componentService: Service CreationDescription

Monitor for newly constructed services/daemons that may attempt to hide artifacts associated with their behaviors to evade detection.

IDDS0022Data source and componentFile: File MetadataDescription

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions that may attempt to hide artifacts associated with their behaviors to evade detection.

Mitigation

IDM1033NameLimit Software InstallationDescription

Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it.

IDM1013NameApplication Developer GuidanceDescription

Application developers should consider limiting the requirements for custom or otherwise difficult to manage file/folder exclusions. Where possible, install applications to trusted system folder paths that are already protected by restricted file and directory permissions.

IDM1049NameAntivirus/AntimalwareDescription

Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.