Hide Artifacts `T1564`

Tactic: Stealth

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.

Events covered

25 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 4	Sysmon service state changed
Sysmon	Event ID 5	Process terminated
Sysmon	Event ID 11	FileCreate
Sysmon	Event ID 12	RegistryEvent (Object create and delete)
Sysmon	Event ID 13	RegistryEvent (Value Set)
Sysmon	Event ID 14	RegistryEvent (Key and Value Rename)
Sysmon	Event ID 15	FileCreateStreamHash
Sysmon	Event ID 16	ServiceConfigurationChange
Sysmon	Event ID 255	Error report: UtcTime: UtcTime ID: ID Description: Description.
Security-Auditing	Event ID 4624	An account was successfully logged on.
Security-Auditing	Event ID 4625	An account failed to log on.
Security-Auditing	Event ID 4657	A registry value was modified.
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 4689	A process has exited.
Security-Auditing	Event ID 4720	A user account was created.
Security-Auditing	Event ID 4776	The domain controller attempted to validate the credentials for an account.
Security-Auditing	Event ID 5136	A directory service object was modified.
Defender-DeviceProcessEvents	any	Process activity (any)
ESF	exec	Process Execution (Notify)
ESF	create	File or Directory Create (NOTIFY)
Linux-Auditd	Event ID 1309	EXECVE
PowerShell	Event ID 4103	Payload Context: ContextInfo User Data: UserData.
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).
Sysmon-for-Linux	Event ID 1	Process Create

Authoring guide

Patterns shared across the 138 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (84 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`CommandLine`	55	`contains` 40, `regex_match` 13, `match` 5, `ends_with` 1, `eq` 1, `in` 1, `is_not_null` 1, `wildcard` 1	`--headless`, `(?i)\.cab\|(-\|\/)F:\|\x5cAppData\x5c\|(Local\|Roaming)\x5cTemp\x5c`, `attrib.+?\.dll`, `(?i)(\s+ADD\s+.\/d.0)`, `(?i)(esentutl\|\.exe)\"?\s.\/y\s.\/d\s`
`Image`	35	`ends_with` 28, `contains` 5, `starts_with` 4, `eq` 2, `is_not_null` 1, `match` 1, `wildcard` 1	`/dev/shm/`, `\attrib.exe`, `./`, `/boot/`, `/media/`
`process_name`	30	`eq` 13, `in` 7, `starts_with` 6, `match` 2, `wildcard` 2	`.`, `sc.exe`, `(?i)expand\.exe`, `bash`, `cp`
`event.type`	28	`eq` 24, `in` 3, `ne` 1	`start`, `creation`, `change`, `process_started`, `deletion`
`host.os.type`	22	`eq` 21, `in` 1
`EventType`	21	`in` 11, `eq` 10	`exec`, `exec_event`, `ProcessRollup2`, `New-InboxRule`, `Set-InboxRule`
`EventID`	17	`eq` 17	`4688`, `1`, `4103`, `4104`, `15`
`OriginalFileName`	17	`eq` 17	`attrib.exe`, `sc.exe`, `findstr.exe`, `advancedrun.exe`, `cmd.exe`
`TargetFilename`	15	`contains` 5, `ends_with` 3, `starts_with` 3, `regex_match` 2, `wildcard` 2, `eq` 1, `match` 1	`(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$`, `.bat:zone`, `.cmd:zone`, `.dll:zone`, `.bat.exe`
`process.args`	13	`eq` 7, `wildcard` 5, `contains` 2, `starts_with` 2, `ends_with` 1, `match` 1	`-c`, `//.`, `/bin/`, `&`, `--as `
`ParentImage`	11	`ends_with` 6, `eq` 3, `is_not_null` 3, `contains` 2, `starts_with` 2	`\thor\thor64.exe`, `\webex\webexhost.exe`, `/boot/`, `/dev/shm/`, `/opt/.`
`Details`	8	`eq` 7, `is_not_null` 1, `length_compare` 1	`DWORD (0x00000000)`, `0`, `0x00000000`, `0x00000001`, `1`
`event.category`	8	`eq` 7, `in` 1	`process`, `file`, `authentication`
`ScriptBlockText`	7	`contains` 7	`$psscriptroot\module\workspacescriptmodule\workspacescriptmodule`, `-argumentlist` , `-filepath "$env:comspec"` , `-stream`, `:\program files\amazon\workspacesconfig\scripts\`
`TargetObject`	7	`contains` 4, `ends_with` 4, `wildcard` 1	`\(default)`, `\control\safeboot\minimal\`, `\control\safeboot\minimal\hexnode agent\(default)`, `\enablescripts`, `\microsoft\powershellcore\`

Top indicator values (1061 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.type`	`eq`	`start` elasticAdding Hidden File Attribute via Attrib elasticAlternate Data Stream Creation/Execution at Volume Root Directory elasticCreation of Hidden Files and Directories via CommandLine elasticDirectory Creation in /bin directory elasticExecutable Masquerading as Kernel Process elasticHidden Directory Creation via Unusual Parent elasticHigh Number of Egress Network Connections from Unusual Executable elasticKill Command Execution elasticPotential Hidden Process via Mount Hidepid elasticPotential Kubectl Masquerading via Unexpected Process elasticProcess Backgrounded by Unusual Parent elasticService DACL Modification via sc.exe elasticSuspicious Path Invocation from Command Line elasticSuspicious Path Mounted elasticSuspicious Process Execution Detected via Defend for Containers elasticSystem Binary Symlink to Suspicious Location elasticUnusual Interactive Shell Launched from System User elasticUnusual Process Execution Path - Alternate Data Stream elasticWindows Sandbox with Sensitive Configuration	19	606
`event.type`	`eq`	`creation` elasticAlternate Data Stream Creation/Execution at Volume Root Directory elasticCreation of Hidden Shared Object File elasticFile Staged in Root Folder of Recycle Bin elasticHidden Files and Directories via Hidden Flag elasticUnusual File Creation - Alternate Data Stream	5	45
`EventType`	`eq`	`exec` elasticCreation of Hidden Files and Directories via CommandLine elasticKill Command Execution elasticSuspicious Path Invocation from Command Line elasticSuspicious Path Mounted elasticSuspicious Process Execution Detected via Defend for Containers elasticSystem Binary Symlink to Suspicious Location elasticUnusual Interactive Shell Launched from System User	7	171
`CommandLine`	`contains`	`--headless` sigmaBrowser Execution In Headless Mode sigmaFile Download with Headless Browser sigmaPotential Data Stealing Via Chromium Headless Debugging sigmaPowershell Executed From Headless ConHost Process splunkHeadless Browser Mockbin or Mocky Request splunkHeadless Browser Usage	6	8
`CommandLine`	`contains`	`.cab` sigmaExecute From Alternate Data Streams sigmaSuspicious Diantz Alternate Data Stream Execution sigmaSuspicious Extrac32 Alternate Data Stream Execution	3	5
`EventID`	`eq`	`4688` splunkEsentutl Execution (Windows Event Log) splunkExpand.exe Execution (Windows Event Log) splunkHidden User Created - Windows (Windows Event Log) splunkParent in Public Folder Suspicious Process (Windows Event Log) splunkPowerShell Hidden Window (Windows Event Log) kustoMalware in the recycle bin	6	313
`EventID`	`eq`	`1` splunkEsentutl Execution (Sysmon) splunkExpand.exe Execution (Sysmon) splunkHidden User Created - Windows (Sysmon) splunkParent in Public Folder Suspicious Process (Sysmon) splunkWindows Suspicious QEMU Execution	5	237
`EventID`	`eq`	`4103` splunkEsentutl Execution (PowerShell) splunkExpand.exe Execution (PowerShell) splunkPowerShell Hidden Window (PowerShell)	3	105
`EventID`	`eq`	`4104` splunkEsentutl Execution (PowerShell) splunkExpand.exe Execution (PowerShell) splunkPowerShell Hidden Window (PowerShell)	3	268
`EventType`	`in`	`exec` elasticDirectory Creation in /bin directory elasticExecutable Masquerading as Kernel Process elasticHidden Directory Creation via Unusual Parent elasticPotential Hidden Process via Mount Hidepid elasticPotential Kubectl Masquerading via Unexpected Process elasticProcess Backgrounded by Unusual Parent	6	171
`EventType`	`in`	`exec_event` elasticDirectory Creation in /bin directory elasticExecutable Masquerading as Kernel Process elasticHidden Directory Creation via Unusual Parent elasticPotential Hidden Process via Mount Hidepid elasticPotential Kubectl Masquerading via Unexpected Process elasticProcess Backgrounded by Unusual Parent	6	139
`EventType`	`in`	`start` elasticDirectory Creation in /bin directory elasticExecutable Masquerading as Kernel Process elasticHidden Directory Creation via Unusual Parent elasticPotential Hidden Process via Mount Hidepid elasticPotential Kubectl Masquerading via Unexpected Process elasticProcess Backgrounded by Unusual Parent	6	134
`EventType`	`in`	`ProcessRollup2` elasticDirectory Creation in /bin directory elasticExecutable Masquerading as Kernel Process elasticProcess Backgrounded by Unusual Parent	3	117
`event.category`	`eq`	`process` elasticKill Command Execution elasticProcess Backgrounded by Unusual Parent elasticSuspicious Path Invocation from Command Line elasticSystem Binary Symlink to Suspicious Location elasticUnusual Interactive Shell Launched from System User	5	128
`process_name`	`starts_with`	`.` elasticFile Creation in /var/log via Suspicious Process elasticHigh Number of Egress Network Connections from Unusual Executable elasticPotential Kubectl Masquerading via Unexpected Process elasticSuspicious Hidden Child Process of Launchd elasticSuspicious Process Execution Detected via Defend for Containers	5	18
`Details`	`eq`	`DWORD (0x00000000)` sigmaCrashControl CrashDump Disabled sigmaDisplaying Hidden Files Feature Disabled sigmaHiding User Account Via SpecialAccounts Registry Key sigmaPowerShell Logging Disabled Via Registry Key Tampering	4	38
`OriginalFileName`	`eq`	`attrib.exe` sigmaHiding Files with Attrib.exe sigmaSet Files as System Files Using Attrib.EXE sigmaSet Suspicious Files as System Files Using Attrib.EXE elasticAdding Hidden File Attribute via Attrib	4	5
`OriginalFileName`	`eq`	`sc.exe` elasticService DACL Modification via sc.exe splunkWindows New Deny Permission Set On Service SD Via Sc.EXE splunkWindows New Service Security Descriptor Set Via Sc.EXE	3	26
`ParentImage`	`ends_with`	`\thor\thor64.exe` sigmaUse NTFS Short Name in Command Line sigmaUse NTFS Short Name in Image sigmaUse Short Name Path in Command Line sigmaUse Short Name Path in Image	4
`ParentImage`	`ends_with`	`\webex\webexhost.exe` sigmaUse NTFS Short Name in Command Line sigmaUse NTFS Short Name in Image sigmaUse Short Name Path in Command Line sigmaUse Short Name Path in Image	4
`CommandLine`	`match`	`(?i)\.cab\|(-\|\/)F:\|\x5cAppData\x5c\|(Local\|Roaming)\x5cTemp\x5c` splunkExpand.exe Execution (PowerShell) splunkExpand.exe Execution (Sysmon) splunkExpand.exe Execution (Windows Event Log)	3	3
`CommandLine`	`regex_match`	`attrib.+?\.dll` splunkAttrib.exe Metasploit File Dropper (EDR) splunkAttrib.exe Metasploit File Dropper (Sysmon) splunkAttrib.exe Metasploit File Dropper (Windows Event Log)	3	3
`Image`	`ends_with`	`\attrib.exe` sigmaHiding Files with Attrib.exe sigmaSet Files as System Files Using Attrib.EXE sigmaSet Suspicious Files as System Files Using Attrib.EXE	3	5
`Image`	`starts_with`	`/dev/shm/` elasticFile Creation in /var/log via Suspicious Process elasticHigh Number of Egress Network Connections from Unusual Executable elasticSuspicious Process Execution Detected via Defend for Containers	3	23
`Image`	`starts_with`	`/tmp/` elasticFile Creation in /var/log via Suspicious Process elasticHigh Number of Egress Network Connections from Unusual Executable elasticSuspicious Process Execution Detected via Defend for Containers	3	25
`Image`	`starts_with`	`/var/tmp/` elasticFile Creation in /var/log via Suspicious Process elasticHigh Number of Egress Network Connections from Unusual Executable elasticSuspicious Process Execution Detected via Defend for Containers	3	24
`Workload`	`eq`	`Exchange` splunkO365 BEC Email Hiding Rule Created splunkO365 Email New Inbox Rule Created splunkO365 Email Transport Rule Changed	3	20
`event.outcome`	`eq`	`success` elasticM365 Exchange Inbox Phishing Evasion Rule Created elasticM365 Exchange Inbox Rule with Obfuscated Name elasticUnusual Login via System User	3	251
`process_name`	`eq`	`sc.exe` elasticService DACL Modification via sc.exe splunkWindows New Deny Permission Set On Service SD Via Sc.EXE splunkWindows New Service Security Descriptor Set Via Sc.EXE	3	29
`sourcetype`	`eq`	`o365:management:activity` splunkO365 BEC Email Hiding Rule Created splunkO365 Email New Inbox Rule Created splunkO365 Email Transport Rule Changed	3	80

Exclusions (309 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`ParentImage`	`ends_with`	`\thor\thor64.exe` sigmaUse NTFS Short Name in Command Line sigmaUse NTFS Short Name in Image sigmaUse Short Name Path in Command Line sigmaUse Short Name Path in Image	4
`ParentImage`	`ends_with`	`\webex\webexhost.exe` sigmaUse NTFS Short Name in Command Line sigmaUse NTFS Short Name in Image sigmaUse Short Name Path in Command Line sigmaUse Short Name Path in Image	4
`CommandLine`	`match`	`(?i):\x5cProgramData\x5cDell\x5cUpdateService\x5cTemp\x5c` splunkExpand.exe Execution (PowerShell) splunkExpand.exe Execution (Sysmon) splunkExpand.exe Execution (Windows Event Log)	3
`Image`	`starts_with`	`/tmp/newroot/` elasticHigh Number of Egress Network Connections from Unusual Executable elasticPotential Kubectl Masquerading via Unexpected Process elasticSystem Binary Moved or Copied	3
`ParentCommandLine`	`eq`	`runc init` elasticKill Command Execution elasticSuspicious Path Invocation from Command Line elasticUnusual Interactive Shell Launched from System User	3
`Image`	`contains`	`\appdata\` sigmaUse Short Name Path in Command Line sigmaUse Short Name Path in Image	2
`Image`	`contains`	`\temp\` sigmaUse Short Name Path in Command Line sigmaUse Short Name Path in Image	2
`ParentImage`	`eq`	`c:\windows\system32\cleanmgr.exe` sigmaUse Short Name Path in Command Line sigmaUse Short Name Path in Image	2
`ParentImage`	`eq`	`c:\windows\system32\dism.exe` sigmaUse Short Name Path in Command Line sigmaUse Short Name Path in Image	2
`ParentImage`	`in`	`/bin/make` elasticDirectory Creation in /bin directory elasticSystem Binary Symlink to Suspicious Location	2
`ParentImage`	`in`	`/lib/systemd/systemd` elasticKill Command Execution elasticSuspicious Path Mounted	2
`ParentImage`	`in`	`/usr/bin/make` elasticDirectory Creation in /bin directory elasticSystem Binary Symlink to Suspicious Location	2
`ParentImage`	`in`	`/usr/lib/systemd/systemd` elasticKill Command Execution elasticSuspicious Path Mounted	2
`ParentImage`	`starts_with`	`/var/lib/docker/overlay2/` elasticSuspicious Path Invocation from Command Line elasticUnusual Interactive Shell Launched from System User	2
`parent_process_name`	`in`	`make` elasticProcess Backgrounded by Unusual Parent elasticSuspicious Path Invocation from Command Line	2

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Hide Artifacts `T1564`

Events covered

Authoring guide

Fields filtered most (84 distinct)

Top indicator values (1061 distinct)

Exclusions (309 distinct)

Rules under this technique

Sigma 65 rules

Elastic 34 rules

Splunk 30 rules

Kusto 6 rules

YARA-L 1 rule

Panther 2 rules

Keyboard shortcuts

Search operators

Hide Artifacts T1564

Events covered

Authoring guide

Fields filtered most (84 distinct)

Top indicator values (1061 distinct)

Exclusions (309 distinct)

Rules under this technique

Sigma 65 rules

Elastic 34 rules

Splunk 30 rules

Kusto 6 rules

YARA-L 1 rule

Panther 2 rules

Hide Artifacts `T1564`