EXPLORE
Sign In
← Back to Explore
T1564

Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex T...

LinuxOffice SuiteWindowsmacOSESXi
44
Detections
3
Sources
0
Threat Actors

BY SOURCE

32elastic10sigma2splunk_escu

PROCEDURES (30)

Process Creation Monitoring5 detections

Auto-extracted: 5 detections for process creation monitoring

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Evasion2 detections

Auto-extracted: 2 detections for evasion

Persist2 detections

Auto-extracted: 2 detections for persist

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Privilege2 detections

Auto-extracted: 2 detections for privilege

Kernel2 detections

Auto-extracted: 2 detections for kernel

Registry2 detections

Auto-extracted: 2 detections for registry

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Evasion1 detections

Auto-extracted: 1 detections for evasion

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Child Process1 detections

Auto-extracted: 1 detections for child process

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Service1 detections

Auto-extracted: 1 detections for service

Driver1 detections

Auto-extracted: 1 detections for driver

Service1 detections

Auto-extracted: 1 detections for service

Child Process1 detections

Auto-extracted: 1 detections for child process

Unusual1 detections

Auto-extracted: 1 detections for unusual

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Container1 detections

Auto-extracted: 1 detections for container

Driver1 detections

Auto-extracted: 1 detections for driver

Persist1 detections

Auto-extracted: 1 detections for persist

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

DETECTIONS (44)

Adding Hidden File Attribute via Attrib
elasticlow
Alternate Data Stream Creation/Execution at Volume Root Directory
elasticmedium
CrashControl CrashDump Disabled
sigmamedium
Creation of a Hidden Local User Account
elastichigh
Creation of Hidden Files and Directories via CommandLine
elasticlow
Creation of Hidden Launch Agent or Daemon
elasticmedium
Creation of Hidden Shared Object File
elasticmedium
Directory Creation in /bin directory
elasticlow
Executable Masquerading as Kernel Process
elastichigh
File Creation in /var/log via Suspicious Process
elasticmedium
Hidden Directory Creation via Unusual Parent
elasticlow
Hidden Files and Directories via Hidden Flag
elasticmedium
High Number of Egress Network Connections from Unusual Executable
elasticmedium
Kill Command Execution
elasticlow
M365 Exchange Inbox Phishing Evasion Rule Created
elasticmedium
Mount Execution With Hidepid Parameter
sigmamedium
Persistence via a Hidden Plist Filename
elastichigh
Persistence via Hidden Run Key Detected
elastichigh
Potential Hidden Local User Account Creation
elasticmedium
Potential Hidden Process via Mount Hidepid
elastichigh
Potential Kubectl Masquerading via Unexpected Process
elasticmedium
Potentially Suspicious Execution From Parent Process In Public Folder
sigmahigh
Process Backgrounded by Unusual Parent
elasticlow
PUA - Process Hacker Execution
sigmamedium
PUA - System Informer Execution
sigmamedium
Service DACL Modification via sc.exe
elasticmedium
Suspicious Creation with Colorcpl
sigmahigh
Suspicious Executable File Creation
sigmahigh
Suspicious Hidden Child Process of Launchd
elasticmedium
Suspicious Path Invocation from Command Line
elasticlow
Suspicious Path Mounted
elasticmedium
Suspicious Process Execution Detected via Defend for Containers
elastichigh
Sysmon Configuration Error
sigmahigh
Sysmon Configuration Modification
sigmahigh
System Binary Moved or Copied
elasticmedium
System Binary Symlink to Suspicious Location
elasticlow
Unusual File Creation - Alternate Data Stream
elastichigh
Unusual Interactive Shell Launched from System User
elasticmedium
Unusual Login via System User
elasticmedium
Unusual Process Execution Path - Alternate Data Stream
elasticmedium
Virtualbox Driver Installation or Starting of VMs
sigmalow
Windows New Deny Permission Set On Service SD Via Sc.EXE
splunk_escu
Windows New Service Security Descriptor Set Via Sc.EXE
splunk_escu
Windows Sandbox with Sensitive Configuration
elasticmedium