T1564: T1564

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 26/02/2020 18:41 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1564
Confidence: 100/100
Revoked: No
Published: 26/02/2020 18:41
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Hide Artifacts

Platforms

windows macos linux ESXi Office Suite

Description

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Sofacy Komplex Trojan
MalwareBytes ADS July 2015
Sophos Ragnar May 2020
Cybereason OSX Pirrit
mitre-attack (T1564)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (39)

Magic Hound uses COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Transparent Tribe uses COPPER FIELDSTONEMythic Leopard

The MITRE Corporation Confidence 100

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Manticore uses COBALT MYSTIQUEHandala Hack

AlienVault Confidence 100

[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DeathGrip uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sea Turtle uses Teal KurmaCosmic Wolf

The MITRE Corporation Confidence 100

[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky and Andariel uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorFace uses

AlienVault Confidence 100

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC4466 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bilalkhanicom uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Locky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Deathstalker uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sidewinder uses T-APT-04Rattlesnake

The MITRE Corporation Confidence 100

[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

1–12 of 39

UltraVNC uses

Family
RenEngine uses

Family
Mythic Poseidon uses
zgRAT uses

Family
POOLRAT uses

Family
KANDYKORN uses

Family
Cobalt Strike uses

Family
BCObserver uses

Family
AgentTesla uses

Family
Octo uses

Family
DurianBeacon uses

Family
Gootloader uses

Family

← Previous

Page / 7

1–12 of 81

Gamers beware: malicious wallpapers on Steam found stealing … related

AlienVault Confidence 100 20 MITREs 5 Malwares 8 IOCs 8 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Lorem Ipsum Malware: Trojanized MS Teams Installers related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Foxit Impersonation: Fake PDF Installer Deploys VNC related

AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables
Zero-Day Local Privilege Escalation Exploit related

AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
Illuminating VoidLink: Technical analysis of the VoidLink rootkit … related

18 MITREs 1 Malware 2 Observables
Jingle Thief: Inside a Cloud-Based Gift Card Fraud … related

4 MITREs 1 APT
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide … related

6 CVEs 31 MITREs 92 Observables 1 APT
Raspberry Robin: Latest Updates and Improvements related

1 CVE 15 MITREs 2 Malwares 121 Observables 1 APT
RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration related

10 MITREs 2 Malwares 1 APT
From a Teams Call to a Ransomware Threat: … related

11 MITREs 1 Malware 11 Observables

← Previous

Page / 4

1–12 of 40

Vulnerabilities (CVE) (53)

CVE-2019-0604 KEV targets

Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2022-1388 KEV targets

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published: 10/05/2022
Modified: 20/12/2025

CVE-2021-22205 KEV targets

GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-3728

targets

CVE-2024-9381 targets

7.2 High

Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.

Attack vector: NETWORK
Published: 08/10/2024
Modified: 21/12/2025

Analyzed

CVE-2023-20273 KEV targets

7.2 High

Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …

Attack vector: Network
Published: 23/10/2023
Modified: 21/12/2025

CVE-2021-27877 KEV targets

Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via …

Published: 07/04/2023
Modified: 21/12/2025

CVE-2021-27878 KEV targets

Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command …

Published: 07/04/2023
Modified: 21/12/2025

CVE-2018-0171 KEV targets

9.8 Critical

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …

Attack vector: NETWORK
Published: 03/11/2021
Modified: 14/01/2026

CVE-2023-3519 KEV targets

9.8 Critical

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

Attack vector: Network
Published: 19/07/2023
Modified: 27/05/2026

CVE-2025-0283 targets

7.0 High

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA …

Attack vector: LOCAL
Published: 09/01/2025
Modified: 21/12/2025

Analyzed

CVE-2022-41049 KEV targets

5.4 Medium

Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability …

Attack vector: Network
Published: 14/11/2022
Modified: 27/05/2026

← Previous

Page / 5

37–48 of 53

Email Hiding Rules subtechnique-of

MITRE
Resource Forking subtechnique-of

MITRE

Course Of Action (3)

Application Developer Guidance mitigates
Antivirus/Antimalware mitigates
Audit mitigates

Contact About Legal notice Privacy policy Terms of use

T1564: T1564

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (39)

Malware (81)

Reports (40)

Vulnerabilities (CVE) (53)

Attack patterns (MITRE) (2)

Course Of Action (3)