Hide Artifacts T1564

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.

Events covered

21 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 96 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (40 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine50contains 35, regex_match 12, match 5, ends_with 1, eq 1, in 1, is_not_null 1, wildcard 1--headless, (?i)\.cab|(-|\/)F:|\x5cAppData\x5c|(Local|Roaming)\x5cTemp\x5c, attrib.+?\.dll, (?i)(\s+ADD\s+.*\/d.*0), (?i)(esentutl|\.exe)\"?\s.*\/y\s.*\/d\s
Image27ends_with 25, contains 5, eq 2, match 1, starts_with 1\attrib.exe, \appdata\, \brave.exe, \chrome.exe, \cmd.exe
EventID17eq 174688, 1, 4103, 4104, 15
OriginalFileName17eq 17attrib.exe, sc.exe, findstr.exe, advancedrun.exe, cmd.exe
TargetFilename12contains 4, ends_with 3, regex_match 2, starts_with 2, eq 1, match 1, wildcard 1(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$, .bat:zone, .cmd:zone, .dll:zone, .bat.exe
process_name12eq 6, in 3, match 2, wildcard 1sc.exe, (?i)expand\.exe, appvlp.exe, attrib.exe, baitandswitch.exe
event.type9eq 8, in 1start, creation, change
Details7eq 6, is_not_null 1, length_compare 1DWORD (0x00000000), 0, 0x00000000, 0x00000001, >
ParentImage7ends_with 6, eq 3, contains 2, starts_with 1\thor\thor64.exe, \webex\webexhost.exe, :\users\public\, \appdata\local\temp\winget\, \aurora-agent-64.exe
ScriptBlockText7contains 7$psscriptroot\module\workspacescriptmodule\workspacescriptmodule, -argumentlist , -filepath "$env:comspec" , -stream, :\program files\amazon\workspacesconfig\scripts\
TargetObject7contains 4, ends_with 4, wildcard 1\(default), \control\safeboot\minimal\, \control\safeboot\minimal\hexnode agent\(default), \enablescripts, \microsoft\powershellcore\
Type6eq 6
Description5eq 3, contains 2InstallShield (R) Setup Engine, Process Hacker, System Informer, failed to connect to the driver to update configuration, failed to open service configuration with error
Contents4contains 2, regex_match 2.githubusercontent.com, anonfiles.com, cdn.discordapp.com, (?:[A-Za-z0-9+/]{128,})(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$, http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
Hashes4contains 4imphash=, imphash=00000000000000000000000000000000, imphash=021bcca20ba3381b11bdde26b4e62f20, imphash=03866661686829d806989e2fc5a72606, imphash=04de0ad9c37eb7bd52043d2ecac958df

Top indicator values (702 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
CommandLinecontains
--headless
68
CommandLinecontains
.cab
35
CommandLinecontains
--disable-gpu
22
CommandLinecontains
.bat
211
CommandLinecontains
.hta
27
CommandLinecontains
.ps1
24
CommandLinecontains
.vbe
25
CommandLinecontains
.vbs
27
CommandLinecontains
\downloads\
214
CommandLinecontains
\users\public\
217
CommandLinecontains
certutil
212
CommandLinecontains
findstr
28
CommandLinecontains
powershell
225
CommandLinecontains
sdset
23
EventIDeq
4688
6312
EventIDeq
1
5232
EventIDeq
4103
3105
EventIDeq
4104
3268
event.typeeq
start
5241
event.typeeq
creation
320
Detailseq
DWORD (0x00000000)
440
OriginalFileNameeq
attrib.exe
45
OriginalFileNameeq
sc.exe
326
ParentImageends_with
\thor\thor64.exe
44
ParentImageends_with
\webex\webexhost.exe
44
CommandLinematch
(?i)\.cab|(-|\/)F:|\x5cAppData\x5c|(Local|Roaming)\x5cTemp\x5c
33
CommandLinematch
(?i)(\s+ADD\s+.*\/d.*0)
22
CommandLineregex_match
attrib.+?\.dll
33
Imageends_with
\attrib.exe
35
process_nameeq
sc.exe
327

Exclusions (94 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
ParentImageends_with
\thor\thor64.exe
4
ParentImageends_with
\webex\webexhost.exe
4
CommandLinematch
(?i):\x5cProgramData\x5cDell\x5cUpdateService\x5cTemp\x5c
3
Imagecontains
\appdata\
2
Imagecontains
\temp\
2
ParentImageeq
c:\windows\system32\cleanmgr.exe
2
ParentImageeq
c:\windows\system32\dism.exe
2
parent_process_namematch
(?i):\x5cProgram\sFiles\s\(x86\)\x5cDell\x5cUpdateService\x5cServiceShell\.exe
2
CommandLinecontains
--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio...
1
CommandLinecontains
.exe
1
CommandLinecontains
\appdata\local\temp\
1
CommandLinecontains
\appdata\local\webex\webex64\meetings\wbxreport.exe
1
CommandLinecontains
\desktop.ini
1
CommandLinecontains
\windows\temp\
1
CommandLinecontains
c:\program files\git\cmd\scalar.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 57 rules

Elastic 9 rules

Splunk 26 rules

Kusto 4 rules