T1564: T1564

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 26/02/2020 18:41 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1564
Confidence: 100/100
Revoked: No
Published: 26/02/2020 18:41
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Hide Artifacts

Platforms

windows macos linux ESXi Office Suite

Description

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Sofacy Komplex Trojan
MalwareBytes ADS July 2015
Sophos Ragnar May 2020
Cybereason OSX Pirrit
mitre-attack (T1564)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (39)

Sniper Dz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cranefly uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT 42 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-CRI-1032 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CozyDuke related IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DiceyF related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Diplomatic Orbiter related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
El Machete, Lyceum, SideWinder related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
El Machete, SideWinder, Lyceum related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Inception Framework related Cloud AtlasInception

The MITRE Corporation Confidence 100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA related BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

13–24 of 39

WarHawk uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DarkGate uses

Family
NOOPDOOR uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
8Base uses
Amos Atomic uses

Family
VPC Security uses
Mandrake uses

Family The MITRE Corporation Confidence 100

[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Albaniiutas uses
BlueNoroff uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sidewinder uses
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PoisonIvy uses

← Previous

Page / 7

13–24 of 81

Skill Marketplace and the Emerging AI Supply Chain … related

AlienVault Confidence 100 19 MITREs 3 Malwares 11 IOCs 5 Observables
Gamers beware: malicious wallpapers on Steam found stealing … related

AlienVault Confidence 100 20 MITREs 5 Malwares 8 IOCs 8 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Lorem Ipsum Malware: Trojanized MS Teams Installers related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Foxit Impersonation: Fake PDF Installer Deploys VNC related

AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables
Zero-Day Local Privilege Escalation Exploit related

AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
Illuminating VoidLink: Technical analysis of the VoidLink rootkit … related

18 MITREs 1 Malware 2 Observables
Jingle Thief: Inside a Cloud-Based Gift Card Fraud … related

4 MITREs 1 APT
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide … related

6 CVEs 31 MITREs 92 Observables 1 APT
Raspberry Robin: Latest Updates and Improvements related

1 CVE 15 MITREs 2 Malwares 121 Observables 1 APT
RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration related

10 MITREs 2 Malwares 1 APT

← Previous

Page / 4

1–12 of 41

Vulnerabilities (CVE) (53)

CVE-2024-9380 KEV targets

7.2 High

Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with …

Attack vector: Network
Published: 09/10/2024
Modified: 21/12/2025

Analyzed

CVE-2023-42793 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Attack vector: Network
Published: 04/10/2023
Modified: 29/05/2026

CVE-2023-35078

targets

CVE-2023-3730

targets

CVE-2017-0213 KEV targets

7.3 High

Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.

Attack vector: LOCAL
Complexity: LOW
Published: 12/05/2017
Modified: 22/04/2026

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2024-9379 KEV targets

6.5 Medium

Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can …

Attack vector: Network
Published: 09/10/2024
Modified: 21/12/2025

Analyzed

CVE-2021-27876 KEV targets

Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a …

Published: 07/04/2023
Modified: 21/12/2025

CVE-2025-27921 targets

6.1 Medium

A reflected cross-site scripting (XSS) vulnerability was discovered in Output Messenger before 2.0.63, where unsanitized input could be injected into the web …

Attack vector: NETWORK
Published: 05/05/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2023-38606 KEV targets

5.5 Medium

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability allowing an app to modify a sensitive kernel state.

Attack vector: Local
Published: 26/07/2023
Modified: 21/12/2025

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

← Previous

Page / 5

25–36 of 53

Email Hiding Rules subtechnique-of

MITRE
Resource Forking subtechnique-of

MITRE

Course Of Action (3)

Application Developer Guidance mitigates
Antivirus/Antimalware mitigates
Audit mitigates

Contact About Legal notice Privacy policy Terms of use

T1564: T1564

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (39)

Malware (81)

Reports (41)

Vulnerabilities (CVE) (53)

Attack patterns (MITRE) (2)

Course Of Action (3)