T1564.004: T1564.004
Essential information
- MITRE technique ID
T1564.004- Confidence
- 100/100
- Revoked
- No
- Published
- 16/12/2025 19:38
- Modified
- 08/05/2026 11:19
- Author / Source
- The MITRE Corporation
Aliases
NTFS File Attributes
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (7)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:51 · Modified 21/12/2025 15:51
-
CL-STA-1020 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 15:03 · Modified 21/12/2025 15:03
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 09/06/2026 11:00 · Modified 09/06/2026 11:00
-
The MITRE Corporation Confidence 100
[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
The MITRE Corporation Confidence 100
[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, …
First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 -
Gamaredon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 20:11 · Modified 20/12/2025 20:11
-
Lazarus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 21:17 · Modified 29/05/2026 12:20
Malware (42)
-
Agamemnon downloader usesFamilyPublished 24/04/2025 08:13 · Modified 24/04/2025 08:13
-
Guildma usesFamilyPublished 19/05/2026 22:26 · Modified 19/05/2026 22:26
- BitPaymer
-
Lumma usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:50 · Modified 21/12/2025 16:13
-
wAgent usesFamilyPublished 24/04/2025 08:13 · Modified 24/04/2025 08:13
-
sfsvc.exe usesFamilyPublished 07/05/2026 12:22 · Modified 07/05/2026 12:22
-
FamilyPublished 31/01/2025 09:53 · Modified 31/01/2025 09:53
-
GIFTEDCROOK usesFamilyPublished 08/06/2026 10:30 · Modified 08/06/2026 10:30
-
SmokeLoader usesFamilyPublished 16/09/2025 08:02 · Modified 16/09/2025 08:02
- TEXTMATE
-
SIGNBT usesFamilyPublished 24/04/2025 08:13 · Modified 24/04/2025 08:13
- Bankshot
Reports (14)
-
AlienVault Confidence 100 19 MITREs 3 Malwares 12 IOCs 9 ObservablesPublished 22/06/2026 13:01 · threat-report
-
AlienVault Confidence 100 1 CVE 10 MITREs 10 IOCs 1 APTPublished 19/06/2026 06:31 · threat-report
-
AlienVault Confidence 100 19 MITREs 1 Malware 34 IOCs 34 ObservablesPublished 09/06/2026 22:11 · Modified 10/06/2026 11:00 · threat-report
-
AlienVault Confidence 100 3 CVEs 16 MITREs 2 Malwares 53 IOCs 53 Observables 1 APTPublished 08/06/2026 12:30 · Modified 09/06/2026 09:00 · threat-report
-
18 MITREs 5 Malwares 2 Observables 1 APTPublished 04/06/2026 13:57 · Modified 05/06/2026 09:12
-
19 MITREs 5 Malwares 1 Observable 1 APTPublished 03/06/2026 13:18 · Modified 04/06/2026 08:40
-
2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APTPublished 01/06/2026 19:31 · Modified 02/06/2026 09:30
-
AlienVault Confidence 100 24 MITREs 2 Malwares 13 IOCs 13 ObservablesPublished 07/05/2026 14:22 · Modified 08/05/2026 09:20 · threat-report
-
6 MITREs 4 MalwaresPublished 31/03/2025 19:05 · Modified 01/04/2025 10:27
-
17 MITREs 1 Malware 1 APTPublished 20/03/2025 19:04 · Modified 21/03/2025 14:46
-
Blast from the Past related16 MITREs 2 Malwares 1 ObservablePublished 05/02/2025 02:45 · Modified 05/02/2025 11:17
-
15 MITREs 1 MalwarePublished 31/01/2025 09:53 · Modified 31/01/2025 11:06
Vulnerabilities (CVE) (5)
Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …
- Published
- 03/11/2021
- Modified
- 29/05/2026
RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.
- Published
- 09/12/2025
- Modified
- 21/12/2025
Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …
- Published
- 03/11/2021
- Modified
- 29/05/2026
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 12/08/2025
- Modified
- 27/05/2026
WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution
- Published
- 15/02/2022
- Modified
- 02/06/2026
Attack patterns (MITRE) (1)
-
T1564 subtechnique-ofHide Artifacts
Course Of Action (1)
- Restrict File and Directory Permissions mitigates
Tool (2)
-
esentutl usesThe MITRE Corporation Confidence 100
[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)
Published 03/09/2019 20:25 · Modified 27/03/2026 01:07 -
Expand usesThe MITRE Corporation Confidence 100
[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file …
Published 19/02/2019 20:17 · Modified 27/03/2026 01:07