T1564: Hide Artifacts
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.
Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_execution: PT-CR-777: Hidden_Scheduled_Task: A hidden scheduled task creation or a hidden modification of an existing scheduled task has been detected without being written to the Windows event log. Creating a task or modifying it can be done directly in the registry, without using the Windows Task Scheduler
mysql_database: PT-CR-619: MySQL_audit_table_modify: An attempt to modify an audit table is detected
mysql_database: PT-CR-621: MySQL_audit_table_rename: An attempt to rename an audit table is detected
Detection
ID | DS0002 | Data source and component | User Account: User Account Metadata | Description | Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0001 | Data source and component | Firmware: Firmware Modification | Description | Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor for third-party application logging, messaging, and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0012 | Data source and component | Script: Script Execution | Description | Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0002 | Data source and component | User Account: User Account Creation | Description | Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0019 | Data source and component | Service: Service Creation | Description | Monitor for newly constructed services/daemons that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
ID | DS0022 | Data source and component | File: File Metadata | Description | Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions that may attempt to hide artifacts associated with their behaviors to evade detection. |
---|
Mitigation
ID | M1033 | Name | Limit Software Installation | Description | Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it. |
---|
ID | M1013 | Name | Application Developer Guidance | Description | Application developers should consider limiting the requirements for custom or otherwise difficult to manage file/folder exclusions. Where possible, install applications to trusted system folder paths that are already protected by restricted file and directory permissions. |
---|
ID | M1049 | Name | Antivirus/Antimalware | Description | Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible. |
---|