T1564: T1564

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 26/02/2020 18:41 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1564
Confidence: 100/100
Revoked: No
Published: 26/02/2020 18:41
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Hide Artifacts

Platforms

windows macos linux ESXi Office Suite

Description

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Sofacy Komplex Trojan
MalwareBytes ADS July 2015
Sophos Ragnar May 2020
Cybereason OSX Pirrit
mitre-attack (T1564)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (39)

Sniper Dz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cranefly uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT 42 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-CRI-1032 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CozyDuke related IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DiceyF related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Diplomatic Orbiter related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
El Machete, Lyceum, SideWinder related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
El Machete, SideWinder, Lyceum related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Inception Framework related Cloud AtlasInception

The MITRE Corporation Confidence 100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA related BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

13–24 of 39

WarHawk uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DarkGate uses

Family
NOOPDOOR uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
8Base uses
Amos Atomic uses

Family
VPC Security uses
Mandrake uses

Family The MITRE Corporation Confidence 100

[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Albaniiutas uses
BlueNoroff uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sidewinder uses
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PoisonIvy uses

← Previous

Page / 7

13–24 of 81

Skill Marketplace and the Emerging AI Supply Chain … related

AlienVault Confidence 100 19 MITREs 3 Malwares 11 IOCs 5 Observables
Gamers beware: malicious wallpapers on Steam found stealing … related

AlienVault Confidence 100 20 MITREs 5 Malwares 8 IOCs 8 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Lorem Ipsum Malware: Trojanized MS Teams Installers related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Foxit Impersonation: Fake PDF Installer Deploys VNC related

AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables
Zero-Day Local Privilege Escalation Exploit related

AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
Illuminating VoidLink: Technical analysis of the VoidLink rootkit … related

18 MITREs 1 Malware 2 Observables
Jingle Thief: Inside a Cloud-Based Gift Card Fraud … related

4 MITREs 1 APT
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide … related

6 CVEs 31 MITREs 92 Observables 1 APT
Raspberry Robin: Latest Updates and Improvements related

1 CVE 15 MITREs 2 Malwares 121 Observables 1 APT
RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration related

10 MITREs 2 Malwares 1 APT

← Previous

Page / 4

1–12 of 41

Vulnerabilities (CVE) (53)

CVE-2023-26078

targets

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2023-26077

targets

CVE-2023-22018

targets

CVE-2024-3094 targets

10.0 Critical

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …

Attack vector: NETWORK
Published: 29/03/2024
Modified: 21/12/2025

CVE-2022-28799

targets

CVE-2023-3732

targets

CVE-2021-3122

targets

CVE-2023-38408

targets

CVE-2022-41091 KEV targets

5.4 Medium

Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability …

Attack vector: Network
Published: 08/11/2022
Modified: 20/12/2025

CVE-2023-3466 targets

8.3 High

Reflected Cross-Site Scripting (XSS)

Attack vector: NETWORK
Published: 19/07/2023
Modified: 21/12/2025

CVE-2023-20198 KEV targets

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

← Previous

Page / 5

1–12 of 53

Email Hiding Rules subtechnique-of

MITRE
Resource Forking subtechnique-of

MITRE

Course Of Action (3)

Application Developer Guidance mitigates
Antivirus/Antimalware mitigates
Audit mitigates

Contact About Legal notice Privacy policy Terms of use

T1564: T1564

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (39)

Malware (81)

Reports (41)

Vulnerabilities (CVE) (53)

Attack patterns (MITRE) (2)

Course Of Action (3)