Hide Artifacts T1564
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.
Events covered
21 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 96 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (40 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (702 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (94 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 57 rules
- Atomic MacOS Stealer - Persistence Indicators
- Browser Execution In Headless Mode
- Cmd Launched with Hidden Start Flags to Suspicious Targets
- CrashControl CrashDump Disabled
- Detection of default a Windows host name in login attempts
- Displaying Hidden Files Feature Disabled
- Execute From Alternate Data Streams
- Exports Registry Key To an Alternate Data Stream
- Extended rights backdoor obfuscation (via localizationDisplayId attribute)
- File Download with Headless Browser
- HackTool - Covenant PowerShell Launcher
- HackTool Named File Stream Created
- Hidden Executable In NTFS Alternate Data Stream
- Hiding Files with Attrib.exe
- Hiding User Account Via SpecialAccounts Registry Key
- Hiding User Account Via SpecialAccounts Registry Key - CommandLine
- Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
- Insensitive Subfolder Search Via Findstr.EXE
- Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
- NTFS Alternate Data Stream
- Potential Data Stealing Via Chromium Headless Debugging
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- Potential Rundll32 Execution With DLL Stored In ADS
- Potential Suspicious Activity Using SeCEdit
- Potentially Suspicious Execution From Parent Process In Public Folder
- Powershell Executed From Headless ConHost Process
- PowerShell Logging Disabled Via Registry Key Tampering
- Powershell Store File In Alternate Data Stream
- PrintBrm ZIP Creation of Extraction
- PUA - AdvancedRun Execution
- PUA - Process Hacker Execution
- PUA - System Informer Execution
- Registry Persistence via Service in Safe Mode
- Remote File Download Via Findstr.EXE
- Run PowerShell Script from ADS
- Set Files as System Files Using Attrib.EXE
- Set Suspicious Files as System Files Using Attrib.EXE
- Suspicious Creation with Colorcpl
- Suspicious Diantz Alternate Data Stream Execution
- Suspicious Executable File Creation
- Suspicious Extrac32 Alternate Data Stream Execution
- Suspicious File Download From File Sharing Websites - File Stream
- Suspicious Hyper-V Cmdlets
- Suspicious PowerShell WindowStyle Option
- Sysmon Configuration Error
- Sysmon Configuration Modification
- Unusual File Download from Direct IP Address
- Unusual File Download From File Sharing Websites - File Stream
- Use Icacls to Hide File to Everyone
- Use NTFS Short Name in Command Line
- Use NTFS Short Name in Image
- Use Short Name Path in Command Line
- Use Short Name Path in Image
- Virtualbox Driver Installation or Starting of VMs
- Windows Subsystem for Linux (WSL) installation (command)
- Windows Subsystem for Linux (WSL) installation (PowerShell)
Elastic 9 rules
- Adding Hidden File Attribute via Attrib
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Creation of a Hidden Local User Account
- File Staged in Root Folder of Recycle Bin
- Persistence via Hidden Run Key Detected
- Service DACL Modification via sc.exe
- Unusual File Creation - Alternate Data Stream
- Unusual Process Execution Path - Alternate Data Stream
- Windows Sandbox with Sensitive Configuration
Splunk 26 rules
- Attrib.exe Metasploit File Dropper (EDR)
- Attrib.exe Metasploit File Dropper (Sysmon)
- Attrib.exe Metasploit File Dropper (Windows Event Log)
- Disable Show Hidden Files
- Esentutl Execution (PowerShell)
- Esentutl Execution (Sysmon)
- Esentutl Execution (Windows Event Log)
- Expand.exe Execution (PowerShell)
- Expand.exe Execution (Sysmon)
- Expand.exe Execution (Windows Event Log)
- Headless Browser Mockbin or Mocky Request
- Headless Browser Usage
- Hidden User Created - Windows (Sysmon)
- Hidden User Created - Windows (Windows Event Log)
- Parent in Public Folder Suspicious Process (Sysmon)
- Parent in Public Folder Suspicious Process (Windows Event Log)
- PowerShell Hidden Window (PowerShell)
- PowerShell Hidden Window (Windows Event Log)
- Windows Alternate DataStream - Base64 Content
- Windows Alternate DataStream - Executable Content
- Windows Alternate DataStream - Process Execution
- Windows ConHost with Headless Argument
- Windows New Deny Permission Set On Service SD Via Sc.EXE
- Windows New Service Security Descriptor Set Via Sc.EXE
- Windows Suspicious QEMU Execution
- Windows SymbolicLink-Testing-Tools Utility Execution