T1564: T1564

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 26/02/2020 18:41 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1564
Confidence: 100/100
Revoked: No
Published: 26/02/2020 18:41
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Hide Artifacts

Platforms

windows macos linux ESXi Office Suite

Description

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Sofacy Komplex Trojan
MalwareBytes ADS July 2015
Sophos Ragnar May 2020
Cybereason OSX Pirrit
mitre-attack (T1564)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (39)

Sniper Dz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cranefly uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT 42 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-CRI-1032 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CozyDuke related IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DiceyF related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Diplomatic Orbiter related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
El Machete, Lyceum, SideWinder related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
El Machete, SideWinder, Lyceum related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Inception Framework related Cloud AtlasInception

The MITRE Corporation Confidence 100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA related BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

13–24 of 39

Honkbox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RustBucket uses

Family
VileLoader uses
ODAgent uses

Family The MITRE Corporation Confidence 100

[ODAgent](https://attack.mitre.org/software/S1170) is a C#/.NET downloader that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2022 including against target organizations in Israel to download and execute payloads and to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Athos.exe uses
RedSun.exe uses

Family
XMRig uses

Family
WarzoneRAT uses
QuasarRAT uses

Family
Spyder Loader uses
OMServerService.vbs uses

Family
Pyloose uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

37–48 of 81

From a Teams Call to a Ransomware Threat: … related

11 MITREs 1 Malware 11 Observables
RondoDox Unveiled: Breaking Down a New Botnet Threat related

11 MITREs 35 Observables
Shedding light on the ABYSSWORKER driver related

12 MITREs 3 Malwares 2 Observables
Threat Actors Chained Vulnerabilities in Ivanti Cloud Service … related

7 CVEs 13 MITREs 28 Observables
2024 macOS Malware Review | Infostealers, Backdoors, and … related

9 MITREs 6 Malwares 23 Observables
Compromised ultralytics PyPI package delivers crypto coinminer related

14 MITREs 1 Malware
DarkComet RAT: Technical Analysis of Attack Chain related

10 MITREs 5 Malwares 1 Observable
A Website Attacked related

4 MITREs 1 Malware 72 Observables 1 APT
The New Malware Distribution Service related

13 MITREs 8 Malwares 7 Observables
The Mongolian Skimmer: different clothes, equally dangerous related

9 MITREs 13 Observables
Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper … related

10 MITREs 1 Malware 7 Observables 1 APT
A SOC Team’s Guide to Detecting macOS Atomic … related

20 MITREs 5 Malwares 3 Observables 1 APT

← Previous

Page / 4

13–24 of 41

Vulnerabilities (CVE) (53)

CVE-2023-26078

targets

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2023-26077

targets

CVE-2023-22018

targets

CVE-2024-3094 targets

10.0 Critical

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …

Attack vector: NETWORK
Published: 29/03/2024
Modified: 21/12/2025

CVE-2022-28799

targets

CVE-2023-3732

targets

CVE-2021-3122

targets

CVE-2023-38408

targets

CVE-2022-41091 KEV targets

5.4 Medium

Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability …

Attack vector: Network
Published: 08/11/2022
Modified: 20/12/2025

CVE-2023-3466 targets

8.3 High

Reflected Cross-Site Scripting (XSS)

Attack vector: NETWORK
Published: 19/07/2023
Modified: 21/12/2025

CVE-2023-20198 KEV targets

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

← Previous

Page / 5

1–12 of 53

Email Hiding Rules subtechnique-of

MITRE
Resource Forking subtechnique-of

MITRE

Course Of Action (3)

Application Developer Guidance mitigates
Antivirus/Antimalware mitigates
Audit mitigates

Contact About Legal notice Privacy policy Terms of use

T1564: T1564

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (39)

Malware (81)

Reports (41)

Vulnerabilities (CVE) (53)

Attack patterns (MITRE) (2)

Course Of Action (3)