Esc
Hide Artifacts - T1564
(ATT&CK® Technique)
Definition
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1564["Hide Artifacts"] --> |may-create| Directory["Directory"]; class T1564 OffensiveTechniqueNode;
class Directory ArtifactNode; click Directory href "/dao/artifact/d3f:Directory";
click T1564 href "/offensive-technique/attack/T1564/"; click Directory href "/dao/artifact/d3f:Directory"; T1564["Hide Artifacts"] --> |may-create| ResourceFork["Resource Fork"]; class T1564 OffensiveTechniqueNode;
class ResourceFork ArtifactNode; click ResourceFork href "/dao/artifact/d3f:ResourceFork";
click T1564 href "/offensive-technique/attack/T1564/"; click ResourceFork href "/dao/artifact/d3f:ResourceFork"; T1564["Hide Artifacts"] --> |may-modify| ResourceFork["Resource Fork"]; class T1564 OffensiveTechniqueNode;
class ResourceFork ArtifactNode; click ResourceFork href "/dao/artifact/d3f:ResourceFork";
click T1564 href "/offensive-technique/attack/T1564/"; click ResourceFork href "/dao/artifact/d3f:ResourceFork"; T1564["Hide Artifacts"] --> |may-modify| SystemConfigurationDatabase["System Configuration Database"]; class T1564 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
click T1564 href "/offensive-technique/attack/T1564/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1564["Hide Artifacts"] --> |modifies| Storage["Storage"]; class T1564 OffensiveTechniqueNode;
class Storage ArtifactNode; click Storage href "/dao/artifact/d3f:Storage";
click T1564 href "/offensive-technique/attack/T1564/"; click Storage href "/dao/artifact/d3f:Storage"; T1564["Hide Artifacts"] --> |creates| File["File"]; class T1564 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1564 href "/offensive-technique/attack/T1564/"; click File href "/dao/artifact/d3f:File"; T1564["Hide Artifacts"] --> |modifies| FileSystemMetadata["File System Metadata"]; class T1564 OffensiveTechniqueNode;
class FileSystemMetadata ArtifactNode; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata";
click T1564 href "/offensive-technique/attack/T1564/"; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata"; T1564["Hide Artifacts"] --> |modifies| ApplicationConfiguration["Application Configuration"]; class T1564 OffensiveTechniqueNode;
class ApplicationConfiguration ArtifactNode; click ApplicationConfiguration href "/dao/artifact/d3f:ApplicationConfiguration";
click T1564 href "/offensive-technique/attack/T1564/"; click ApplicationConfiguration href "/dao/artifact/d3f:ApplicationConfiguration"; T1564["Hide Artifacts"] --> |executes| VirtualizationSoftware["Virtualization Software"]; class T1564 OffensiveTechniqueNode;
class VirtualizationSoftware ArtifactNode; click VirtualizationSoftware href "/dao/artifact/d3f:VirtualizationSoftware";
click T1564 href "/offensive-technique/attack/T1564/"; click VirtualizationSoftware href "/dao/artifact/d3f:VirtualizationSoftware"; T1564["Hide Artifacts"] --> |may-add| VirtualizationSoftware["Virtualization Software"]; class T1564 OffensiveTechniqueNode;
class VirtualizationSoftware ArtifactNode; click VirtualizationSoftware href "/dao/artifact/d3f:VirtualizationSoftware";
click T1564 href "/offensive-technique/attack/T1564/"; click VirtualizationSoftware href "/dao/artifact/d3f:VirtualizationSoftware"; T1564["Hide Artifacts"] --> |may-modify| PropertyListFile["Property List File"]; class T1564 OffensiveTechniqueNode;
class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
click T1564 href "/offensive-technique/attack/T1564/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1564["Hide Artifacts"] --> |modifies| OfficeApplicationFile["Office Application File"]; class T1564 OffensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode; click OfficeApplicationFile href "/dao/artifact/d3f:OfficeApplicationFile";
click T1564 href "/offensive-technique/attack/T1564/"; click OfficeApplicationFile href "/dao/artifact/d3f:OfficeApplicationFile"; T1564["Hide Artifacts"] --> |modifies| UserInitConfigurationFile["User Init Configuration File"]; class T1564 OffensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile";
click T1564 href "/offensive-technique/attack/T1564/"; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile"; T1564["Hide Artifacts"] --> |may-create| EmailRule["Email Rule"]; class T1564 OffensiveTechniqueNode;
class EmailRule ArtifactNode; click EmailRule href "/dao/artifact/d3f:EmailRule";
click T1564 href "/offensive-technique/attack/T1564/"; click EmailRule href "/dao/artifact/d3f:EmailRule"; T1564["Hide Artifacts"] --> |may-modify| EmailRule["Email Rule"]; class T1564 OffensiveTechniqueNode;
class EmailRule ArtifactNode; click EmailRule href "/dao/artifact/d3f:EmailRule";
click T1564 href "/offensive-technique/attack/T1564/"; click EmailRule href "/dao/artifact/d3f:EmailRule"; DecoyFile["Decoy File"] -->
| spoofs | UserInitConfigurationFile["User Init Configuration File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1564["Hide Artifacts"] ;
class DecoyFile DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OfficeApplicationFile["Office Application File"];
class DecoyFile DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | PropertyListFile["Property List File"];
class DecoyFile DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1564["Hide Artifacts"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1564["Hide Artifacts"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1564["Hide Artifacts"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | UserInitConfigurationFile["User Init Configuration File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | PropertyListFile["Property List File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | File["File"];
FileEviction["File Eviction"] -.->
| may-evict | T1564["Hide Artifacts"] ;
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | PropertyListFile["Property List File"];
class FileEviction DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | UserInitConfigurationFile["User Init Configuration File"];
class FileEviction DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | OfficeApplicationFile["Office Application File"];
class FileEviction DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; ApplicationConfigurationHardening["Application Configuration Hardening"] -->
| hardens | EmailRule["Email Rule"];
ApplicationConfigurationHardening["Application Configuration Hardening"] -.->
| may-harden | T1564["Hide Artifacts"] ;
class ApplicationConfigurationHardening DefensiveTechniqueNode;
class EmailRule ArtifactNode;
click ApplicationConfigurationHardening href "/technique/d3f:ApplicationConfigurationHardening"; ApplicationConfigurationHardening["Application Configuration Hardening"] -->
| hardens | ApplicationConfiguration["Application Configuration"];
class ApplicationConfigurationHardening DefensiveTechniqueNode;
class ApplicationConfiguration ArtifactNode;
click ApplicationConfigurationHardening href "/technique/d3f:ApplicationConfigurationHardening"; SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| may-harden | T1564["Hide Artifacts"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; FileEncryption["File Encryption"] -->
| encrypts | OfficeApplicationFile["Office Application File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1564["Hide Artifacts"] ;
class FileEncryption DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | PropertyListFile["Property List File"];
class FileEncryption DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | UserInitConfigurationFile["User Init Configuration File"];
class FileEncryption DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; SoftwareUpdate["Software Update"] -->
| updates | VirtualizationSoftware["Virtualization Software"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1564["Hide Artifacts"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class VirtualizationSoftware ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; DiskEncryption["Disk Encryption"] -->
| encrypts | Storage["Storage"];
DiskEncryption["Disk Encryption"] -.->
| may-harden | T1564["Hide Artifacts"] ;
class DiskEncryption DefensiveTechniqueNode;
class Storage ArtifactNode;
click DiskEncryption href "/technique/d3f:DiskEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | UserInitConfigurationFile["User Init Configuration File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1564["Hide Artifacts"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OfficeApplicationFile["Office Application File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | Directory["Directory"];
class LocalFilePermissions DefensiveTechniqueNode;
class Directory ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | PropertyListFile["Property List File"];
class LocalFilePermissions DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | UserInitConfigurationFile["User Init Configuration File"];
RestoreFile["Restore File"] -.->
| may-restore | T1564["Hide Artifacts"] ;
class RestoreFile DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
| restores | SystemConfigurationDatabase["System Configuration Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1564["Hide Artifacts"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreSoftware["Restore Software"] -->
| restores | VirtualizationSoftware["Virtualization Software"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1564["Hide Artifacts"] ;
class RestoreSoftware DefensiveTechniqueNode;
class VirtualizationSoftware ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreFile["Restore File"] -->
| restores | PropertyListFile["Property List File"];
class RestoreFile DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | OfficeApplicationFile["Office Application File"];
class RestoreFile DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | File["File"];
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | EmailRule["Email Rule"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1564["Hide Artifacts"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class EmailRule ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | ApplicationConfiguration["Application Configuration"];
class RestoreConfiguration DefensiveTechniqueNode;
class ApplicationConfiguration ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] -->
| analyzes | UserInitConfigurationFile["User Init Configuration File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1564["Hide Artifacts"] ;
class FileAnalysis DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OfficeApplicationFile["Office Application File"];
class FileAnalysis DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | PropertyListFile["Property List File"];
class FileAnalysis DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ServiceBinaryVerification["Service Binary Verification"] -->
| verifies | VirtualizationSoftware["Virtualization Software"];
ServiceBinaryVerification["Service Binary Verification"] -.->
| may-detect | T1564["Hide Artifacts"] ;
class ServiceBinaryVerification DefensiveTechniqueNode;
class VirtualizationSoftware ArtifactNode;
click ServiceBinaryVerification href "/technique/d3f:ServiceBinaryVerification"; UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -->
| analyzes | UserInitConfigurationFile["User Init Configuration File"];
UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -.->
| may-detect | T1564["Hide Artifacts"] ;
class UserSessionInitConfigAnalysis DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click UserSessionInitConfigAnalysis href "/technique/d3f:UserSessionInitConfigAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1564["Hide Artifacts"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | PropertyListFile["Property List File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | UserInitConfigurationFile["User Init Configuration File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OfficeApplicationFile["Office Application File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OfficeApplicationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";