Home/ MITRE Matrix/ Defense Evasion/ T1564

T1564Hide Artifacts

T1564 — Hide Artifacts is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 5 detection use cases covering it and 4 threat-intel articles citing it.

Defense Evasion

View on the matrix → Filter Detection Library MITRE official spec ↗

5Use cases

4Articles

14Sub-techniques

1Tactic

Sub-techniques (14)

T1564.013 · Bind Mounts T1564.008 · Email Hiding Rules T1564.014 · Extended Attributes T1564.012 · File/Path Exclusions T1564.005 · Hidden File System T1564.001 · Hidden Files and Directories T1564.002 · Hidden Users T1564.003 · Hidden Window T1564.011 · Ignore Process Interrupts T1564.004 · NTFS File Attributes T1564.010 · Process Argument Spoofing T1564.009 · Resource Forking T1564.006 · Run Virtual Instance T1564.007 · VBA Stomping

Use cases covering this technique (5)

Windows New Deny Permission Set On Service SD Via Sc.EXE ESCU actions · hunting P Windows New Service Security Descriptor Set Via Sc.EXE ESCU actions · hunting P [LLM] Atomic Arch: eBPF rootkit pinned maps hidden_pids/hidden_names/hidden_inodes in /sys/fs/bpf/ Bespoke install · alerting DSΣPDDCS [LLM] __DAEMONIZED=1 environment marker on spawned process Bespoke install · alerting DSΣPDDCS [LLM] fast16 Carrier Runtime Artefacts (SvcMgmt service / pipe p577 / \Device\fast16) Bespoke install · hunting DSP

Articles citing this technique (4)

high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17

high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183

crit fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet art-360

crit Sednit reloaded: Back in the trenches art-477