What is hide artifacts (T1564)?

Hide artifacts (T1564) is a MITRE ATT&CK® defense evasion technique where adversaries prevent malicious files, processes, and configurations from appearing through the standard system tools that users and analysts use to inspect system state. Unlike indicator removal (T1070) which destroys existing evidence, hide artifacts is a proactive approach, making malicious content invisible from the moment it is placed on a system.

Artifact hiding exploits the distinction between what exists on a system and what standard tools report. A file with the Hidden and System attributes set does not appear in Windows Explorer or basic dir commands. An executable stored in an NTFS alternate data stream does not appear in directory listings and has no visible file size. A process running with a hidden window shows nothing on the taskbar or desktop. Log360 maps 35+ pre-built correlation rules to T1564, targeting the specific actions attackers take to apply these concealment techniques rather than trying to enumerate the hidden content itself.

Where T1564 fits in the ATT&CK chain: T1564 maps to TA0005 — Defense evasion. Artifact hiding is typically applied immediately after initial access, during malware installation, or during persistence establishment, before analysts have any reason to look for the hidden content. It pairs with indicator removal (T1070) for complete anti-forensic coverage: hiding prevents artifacts from being seen in the first place, while indicator removal destroys them after the fact.

How attackers hide artifacts

Attackers apply artifact hiding at multiple layers of the system, each requiring different detection approaches:

  1. Hidden file and directory attributes: The Windows attrib.exe utility can set the Hidden (+H) and System (+S) attributes on files and directories. These attributes cause items to be excluded from standard Windows Explorer views and basic directory listings. Attackers use attrib +H +S [malware_path] to immediately hide malicious files after placing them on disk.
  2. NTFS alternate data streams: NTFS allows multiple data streams within a single file. The primary stream contains the visible file content; additional streams have their own names and can contain arbitrary data, including executable code. Writing a malicious executable to document.txt:hidden.exe creates an executable that does not appear in directory listings, has no visible file size, and can be executed directly. Log360's NTFS Alternate Data Stream rule and Powershell Store File In Alternate Data Stream rule target both creation and execution of ADS-stored content.
  3. Hidden windows: Malicious processes can be launched with their windows hidden using PowerShell's -WindowStyle Hidden parameter or the SW_HIDE flag in Windows API calls. This prevents the process from appearing on the taskbar, desktop, or in the visible process list for users, while the process continues running and executing malicious operations in the background. Log360's Suspicious PowerShell WindowStyle Option rule specifically detects this pattern.
  4. Hidden users: Attackers can create Windows user accounts where the username ends with a dollar sign ($) or are configured to be excluded from the logon screen. These accounts are not visible in standard user management tools and can be used as persistent backdoor credentials.
  5. Virtual machine concealment: Running malicious workloads inside Hyper-V virtual machines or containers isolates them from host-level monitoring tools. Security products that monitor processes, files, and network connections at the host level have no visibility into activity inside a VM. Log360's Suspicious Hyper-V Cmdlets rule detects unusual PowerShell Hyper-V cmdlet execution that may indicate VM-based isolation of malicious workloads.
  6. Browser headless mode abuse: Attackers abuse headless browser execution (no visible GUI window) to perform credential harvesting, web scraping, and C2 communication while appearing as a background browser process with no user-visible activity. Log360's Browser Execution In Headless Mode rule targets this technique.

Hide artifacts vs. indicator removal: complementary techniques

T1564 (hide artifacts) and T1070 (indicator removal) work at different points in the attacker timeline. Hide artifacts prevents evidence from being visible before it is ever discovered; a file with the System and Hidden attributes set never appears in a casual investigation. Indicator removal destroys evidence that was already created; logs that were generated are now cleared. Together, these two techniques form a comprehensive anti-forensic approach: hide artifacts to prevent detection during dwell time, and indicator removal to clean up before exiting. Log360 covers both through dedicated rule sets for each technique.

Sub-techniques and variants

MITRE ATT&CK documents several sub-techniques under T1564, each exploiting different OS features for concealment:

  • T1564.001 — Hidden files and directories: Using the Windows attrib command or direct API calls to set Hidden and System file attributes, making files and directories invisible in standard directory enumeration tools.
  • T1564.002 — Hidden users: Creating user accounts that are configured to not appear in the Windows logon screen or standard user management tools, used as persistent backdoor credentials.
  • T1564.003 — Hidden window: Launching processes with hidden GUI windows using PowerShell -WindowStyle Hidden, the CreateProcess SW_HIDE flag, or VBScript that invokes executables without visible windows.
  • T1564.004 — NTFS file attributes: Using NTFS alternate data streams to store malicious files or configuration data within the stream metadata of legitimate files, hiding the content from standard directory listing and many security tools.
  • T1564.006 — Run virtual instance: Using virtualization software (Hyper-V, VirtualBox, VMware) to run malicious activity inside an isolated virtual environment that is invisible to host-level security monitoring.

Detection indicators for T1564

T1564 detection is most effective by catching the hiding action at the moment it occurs, because detecting hidden content after it is in place requires comprehensive enumeration tools that are rarely run proactively. Key detection approaches:

Attrib.exe with hidden/system flags

Execution of attrib.exe with +H (hidden) or +S (system) flags on executables, scripts, or directories outside of known-good software installation paths is a reliable T1564.001 indicator. Legitimate software rarely needs to hide its own files using command-line attrib operations. The Set Suspicious Files as System Files Using Attrib.EXE rule fires on these patterns through process creation monitoring.

NTFS alternate data stream creation

Sysmon file creation events (Event ID 11) include stream names when files are created with alternate data streams. A file creation event showing filename:streamname syntax indicates ADS usage. PowerShell Add-Content or Set-Content commands targeting alternate stream paths (using the colon syntax) are also detectable through Event ID 4688 command-line analysis. Log360 covers both creation and execution of ADS-stored content.

PowerShell hidden window execution

The -WindowStyle Hidden or -w Hidden parameter in PowerShell commands is a reliable indicator that the operator is trying to run a script without any visible user interface. While some legitimate administrative tasks use hidden windows, this parameter in combination with other suspicious indicators (encoded commands, download cradles, unusual parent processes) is a high-confidence T1564.003 indicator.

Unusual Hyper-V cmdlet execution

PowerShell Hyper-V cmdlets (New-VM, Start-VM, Set-VM) executed by accounts that are not expected to manage virtual machines, or at unusual times, may indicate VM-based isolation of malicious workloads. This is an emerging technique that is increasingly observed in sophisticated attack campaigns.

Log360 detection rules for T1564

Log360 ships with 35+ pre-built correlation rules directly mapped to Hide artifacts (T1564). Rules cover NTFS ADS usage, hidden file attribute setting, hidden window execution, virtual instance abuse, and headless browser concealment:

Rule name Platform Severity What it detects
NTFS Alternate Data Stream Windows Trouble Detects execution of files stored in NTFS alternate data streams using PowerShell, a technique that hides malicious executables and scripts within the metadata streams of legitimate files, making them invisible to standard directory listing tools
Powershell Store File In Alternate Data Stream Windows Trouble Identifies PowerShell commands that write data to NTFS alternate data streams using Set-Content or Add-Content with the stream syntax, detecting the storage of hidden payloads or configurations in ADS before they are executed
Suspicious PowerShell WindowStyle Option Windows Trouble Detects PowerShell invocations using -WindowStyle Hidden or abbreviated variants (-w h), which suppress the console window to hide the execution from interactive users and desktop monitoring tools
Set Suspicious Files as System Files Using Attrib.EXE Sysmon, Windows Trouble Identifies attrib.exe commands that set Hidden (+H) and System (+S) file attributes on executables, scripts, or directories outside of known software installation paths, a technique used to conceal malicious files from standard directory enumeration
Suspicious Hyper-V Cmdlets Windows Trouble Detects unusual execution of PowerShell Hyper-V management cmdlets (New-VM, Start-VM) by accounts or processes not normally associated with virtual machine management, an indicator of VM-based isolation of malicious workloads to evade host-level monitoring
Suspicious Executable File Creation Sysmon, Windows Trouble Identifies creation of executable files in locations associated with hidden or system artifact storage, including directories normally containing only data files, user profile subdirectories with system-level names, and hidden directory paths
Browser Execution In Headless Mode Sysmon, Windows Trouble Detects browser processes (Chrome, Edge, Firefox) launched with headless or no-sandbox flags for non-development purposes, a technique used to perform web-based credential harvesting, C2 communication, or automated data exfiltration without any visible browser window
Additional hide artifact detection rules (28+ rules) Windows, Sysmon Trouble Covers additional hidden window execution variants, headless browser data stealing, hidden user account creation indicators, and specific malware families known to use artifact hiding techniques as part of their evasion toolkit

Coverage note: Log360's T1564 detection rules focus on catching hiding actions at the point they are applied — detecting attrib.exe when it sets hidden attributes, Sysmon file events when ADS streams are created, and PowerShell parameters when hidden windows are requested. This proactive approach catches artifact hiding before the hidden content can be used for further attack activity.

Investigation steps

When Log360 fires a Hide artifacts (T1564) alert, follow this threat investigation sequence to locate the hidden content, assess its purpose, and understand the scope of concealment activity:

  1. Identify the hidden artifact: Determine what was being hidden: a file, directory, process, or user. For attrib.exe alerts, retrieve the full command-line from Event ID 4688 to identify the exact file path being hidden. For ADS alerts, identify both the carrier file and the stream name containing hidden content.
  2. Locate and examine the hidden content: Use dir /a to list hidden and system files in suspect directories. Use dir /r to enumerate NTFS alternate data streams. Extract hidden files and examine them to determine whether they are malicious executables, configuration files, or encoded payloads.
  3. Determine when the hiding occurred: Cross-reference the alert timestamp with other events on the affected host. Hiding actions are typically performed immediately after delivery of malicious content or during installation of persistence mechanisms. The hiding event timestamp anchors the investigation timeline.
  4. Check for hidden persistence: Malicious files hidden with attrib commands are often persistence mechanisms: startup scripts, service binaries, or scheduled task executables. Check hidden files against known startup locations and correlate with Event ID 4698 (scheduled task) and 7045 (new service) events around the same timeframe.
  5. Enumerate all hidden content on the affected system: Run a comprehensive scan for hidden files, alternate data streams, and hidden processes across the affected system. A single detected hiding action may be one of many. Attackers typically use hiding across all of their deployed artefacts, not just the ones that triggered alerts.
  6. Assess ADS execution history: For NTFS ADS alerts, check Sysmon process creation events for executions from the identified ADS path (processes launched from filename:streamname paths). This confirms whether the hidden content was already executed or whether detection occurred at storage time.

Response playbook

  • Enumerate before removing: Before deleting any hidden files or artifacts, perform a complete inventory using dir /a /r and equivalent enumeration tools. Remove hidden attribute flags from files of interest using attrib -H -S [path] before examining them, to ensure the full set of hidden content is documented.
  • Extract and hash all hidden executables: Collect all hidden executable files and alternate data stream content. Calculate file hashes and check against threat intelligence. Submit unknown files to malware analysis sandboxes. Hash values serve as indicators for threat intelligence sharing and for scanning other systems in the environment.
  • Check for associated persistence: Hidden files frequently back persistence mechanisms. After locating hidden content, check whether associated scheduled tasks, services, or registry run keys reference the hidden paths. Remove all persistence entries as part of the remediation process.
  • Scan all systems for the same indicators: Use Log360 to search across the entire environment for the same file hashes, directory paths, ADS names, or attrib.exe command patterns. Hidden artifact campaigns often deploy the same hidden file structure to multiple hosts simultaneously.
  • Deploy file integrity monitoring: After the incident, configure file integrity monitoring on high-risk directories (System32, Program Files, user startup paths) to detect future hidden file creation at the filesystem level, supplementing Log360's process-based detection rules.
  • Restrict attrib.exe execution: Consider AppLocker or Windows Defender Application Control policies that restrict attrib.exe execution to administrative accounts only. Preventing non-administrative use of attrib removes the most common tool for T1564.001 from the attacker's toolkit.

ManageEngine Log360 for T1564 detection

Log360's 35+ Hide artifacts (T1564) detection rules catch concealment actions at the moment they are applied, before hidden content can be used for further attack activity. Sysmon file event integration surfaces NTFS alternate data stream creation, while process creation monitoring catches attrib.exe and PowerShell hiding operations with full command-line context. This proactive detection approach ensures that hidden artifacts are flagged in the SIEM before they become operational elements of an attacker's toolkit.

Download free trial Schedule a demo

Frequently asked questions

What is hide artifacts (T1564) in MITRE ATT&CK?

Hide artifacts (T1564) is a defense evasion technique where adversaries prevent their tools, files, and processes from appearing in standard system enumeration tools. This includes hidden file attributes (attrib.exe +H +S), NTFS alternate data streams, hidden process windows (PowerShell -WindowStyle Hidden), hidden user accounts, and virtual machine isolation. Log360 maps 35+ detection rules to T1564 targeting the hiding actions rather than trying to enumerate hidden content after the fact.

How does Log360 detect NTFS alternate data stream abuse?

Log360 detects NTFS ADS abuse through two complementary rules: NTFS Alternate Data Stream (detecting execution of files stored in ADS via PowerShell) and Powershell Store File In Alternate Data Stream (detecting when PowerShell writes data to an alternate stream). Sysmon Event ID 11 (file created) includes the stream name when an ADS is created, enabling path-based detection of ADS creation events as well. These rules catch both storage and execution of ADS-hidden content.

What is the difference between T1564 hide artifacts and T1070 indicator removal?

Hide artifacts (T1564) is proactive concealment, making files, processes, or users invisible before they are ever discovered. T1070 indicator removal is reactive evidence destruction — deleting or overwriting evidence that already exists. Both are defense evasion techniques under TA0005, but they operate at different points in the attacker timeline. An attacker may use both: hide artifacts during dwell time to stay undetected, then indicator removal before exiting to destroy evidence of their activity. Log360 has dedicated rule sets for both techniques.

Can NTFS alternate data streams be detected without Sysmon?

Yes, Log360 can detect NTFS ADS abuse through Windows Event ID 4688 (process creation) by identifying PowerShell commands using the ADS colon notation in file paths (Set-Content, Add-Content, or execution from [file]:[stream] paths). Sysmon Event ID 11 provides richer file creation data that includes stream names and is the preferred source, but process creation monitoring provides a viable fallback for environments without Sysmon. For comprehensive T1564 coverage, deploying Sysmon is strongly recommended alongside Log360's process-based detection rules.

On this page
 
  • What is hide artifacts (T1564)?
  • How attackers hide artifacts
  • Sub-techniques and variants
  • Detection indicators
  • Log360 detection rules
  • Investigation steps
  • Response playbook
  • Frequently asked questions