# T1564 Hide Artifacts

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

## Technique Detection

Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.

-----------------------------------------------------------------------

### Tactics:

  *   Defense-Evasion

### Platforms:

  * Linux

  * macOS

  * Windows

  * Office 365

### Data Sources:

  * **Application Log:** Application Log Content

  * **Command:** Command Execution

  * **User Account:** User Account Metadata

  * **File:** File Modification

  * **Service:** Service Creation

  * **File:** File Metadata

  * **Process:** OS API Execution

  * **File:** File Creation

  * **Windows Registry:** Windows Registry Key Modification

  * **Firmware:** Firmware Modification

  * **User Account:** User Account Creation

  * **Script:** Script Execution

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1564)

  * [Sofacy Komplex Trojan](https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/), Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.

  * [Cybereason Osx Pirrit](https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf), Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.

  * [Malwarebytes Ads July 2015](https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/), Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.

  * [Sophos Ragnar May 2020](https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/), SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversary will hide files on the filesystem 

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- .

## Analytical References

  * https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html
  * https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
  * https://www.hackingarticles.in/defense-evasion-hide-artifacts/
  * https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-setfileattributesa?redirectedfrom=MSDN
  * https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html
  * https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- .

#### Analytic 1

  * **Information:** 'Creating Hidden Folders/ Files with the Hidden attribute'

  * **Source:** 'Sysmon'

  * **Tool:** 'Kibana'

  * **Notes:** 'kibana query for sysmon data looking for attrib command or powershell command to create hidden file'

  * **Query:** attrib ```event_id: 1 and process_command_line: "attrib + h"```

       powershell ```event_id: 1 and process_command_line: "Hidden"```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------
