T1564

Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. Sub-techniques cover hidden files and directories, hidden users, hidden windows, NTFS alternate data streams, hidden file systems, virtual instance abuse, VBA stomping, email hiding rules, resource forking, process argument spoofing, and scheduled task SD registry deletion.

Microsoft Sentinel / Defender

kusto

// T1564 — Hide Artifacts: multi-signal detection across sub-techniques
// Signal 1: attrib command used to hide files or directories (T1564.001)
let HiddenFileAttrib = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "attrib.exe"
| where ProcessCommandLine has_any ("+h ", "+s ", "+h+s", "+s+h")
| extend Signal = "HiddenFileAttribute"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Signal 2: NTFS Alternate Data Streams written via cmd/powershell (T1564.004)
let ADSCreation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| where ProcessCommandLine matches regex @">\s*[^\s:]+:[^\\/:*?""<>|\s]+"
       or ProcessCommandLine has "Set-Content" and ProcessCommandLine matches regex @"-Path\s+[^:]+:[^\s]+"
       or ProcessCommandLine has "Out-File" and ProcessCommandLine matches regex @"-FilePath\s+[^:]+:[^\s]+"
| extend Signal = "NTFSAlternateDataStream"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Signal 3: Scheduled task Security Descriptor (SD) registry value deletion (Tarrask — T1564)
let HiddenScheduledTask = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueDeleted"
| where RegistryKey has @"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree"
| where RegistryValueName =~ "SD"
| extend Signal = "HiddenScheduledTaskSD"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          FileName=InitiatingProcessFileName, ProcessCommandLine=InitiatingProcessCommandLine,
          RegistryKey, RegistryValueName,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Signal 4: Hidden window flag used in scripting (T1564.003)
let HiddenWindow = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden", "-WindowStyle h",
                                    "/windowstyle hidden", "SW_HIDE", "ShowWindow", "0x0 start")
| where FileName !in~ ("explorer.exe", "msiexec.exe", "svchost.exe")
| extend Signal = "HiddenWindowExecution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Signal 5: Windows API calls to hide window via wscript/cscript/mshta
let HiddenScriptWindow = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("//b ", "//B ", "CreateObject", "WScript.CreateObject")
| extend Signal = "HiddenScriptBatchMode"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Signal 6: icacls or cacls used to deny Everyone/Users access to hide files (T1564.001)
let AccessDenialToHide = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("icacls.exe", "cacls.exe", "takeown.exe")
| where ProcessCommandLine has_any ("/deny Everyone", "/deny *S-1-1-0", "/deny Users", "/deny *S-1-5-32-545")
| extend Signal = "FileAccessDeniedToHide"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Union all signals
union HiddenFileAttrib, ADSCreation, HiddenScheduledTask, HiddenWindow, HiddenScriptWindow, AccessDenialToHide
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Deletion Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

System administrators using attrib.exe to mark backup or configuration files as hidden/system to prevent accidental deletion
Software installers and package managers that legitimately set hidden attributes on their program files during installation
Legitimate security or monitoring tools that use hidden windows (wscript //b, mshta) for background polling and scheduled checks
Enterprise backup solutions (Veeam, Commvault) that manipulate NTFS attributes and ACLs as part of their backup and restore operations
Development tools (Visual Studio, Node.js) that create NTFS Alternate Data Streams as part of zone identifier or metadata tracking

Splunk

spl

| union
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\attrib.exe")
    | eval CommandLine=lower(CommandLine)
    | where match(CommandLine, "\+h|\+s")
    | eval Signal="HiddenFileAttribute"
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Signal ],
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
    | eval CommandLine=lower(CommandLine)
    | where match(CommandLine, ">[^:]+:[^\\\\/:*?\"<>|\s]+") OR
            (match(CommandLine, "set-content|out-file") AND match(CommandLine, ":[^\\\\]+"))
    | eval Signal="NTFSAlternateDataStream"
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Signal ],
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
    TargetObject="*\\Schedule\\TaskCache\\Tree\\*"
    | where match(TargetObject, "\\SD$") AND EventType="DeleteValue"
    | eval Signal="HiddenScheduledTaskSD"
    | eval CommandLine=ProcessCommandLine
    | table _time, host, User=UtcTime, Image, CommandLine, TargetObject, Signal ],
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    NOT (Image="*\\explorer.exe" OR Image="*\\msiexec.exe" OR Image="*\\svchost.exe")
    | eval CommandLine=lower(CommandLine)
    | where match(CommandLine, "-windowstyle\s+h|-w\s+hidden|sw_hide|//b\s|//b$")
    | eval Signal="HiddenWindowExecution"
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Signal ],
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\icacls.exe" OR Image="*\\cacls.exe")
    | eval CommandLine=lower(CommandLine)
    | where match(CommandLine, "/deny\s+(everyone|\*s-1-1-0|users|\*s-1-5-32-545)")
    | eval Signal="FileAccessDeniedToHide"
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Signal ],
  [ search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4698 OR EventCode=4702
    | eval TaskContent=lower(TaskContent)
    | where match(TaskContent, "hidden|runonlyidle|0x04")
    | eval Signal="SuspiciousScheduledTaskHidden"
    | eval CommandLine=TaskName
    | table _time, host, SubjectUserName, TaskName, Signal ]
| eval SuspicionScore=1
| stats sum(SuspicionScore) as TotalSignals, values(Signal) as Signals, values(CommandLine) as Commands,
        earliest(_time) as FirstSeen, latest(_time) as LastSeen by host, User
| where TotalSignals >= 1
| sort - TotalSignals

high severity high confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Deletion Scheduled Job: Scheduled Job Creation Sysmon Event ID 1 Sysmon Event ID 13 Security Event ID 4698

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

System administrators running attrib.exe to set hidden attributes on configuration or system-managed files
Legitimate backup and archival software manipulating file attributes and ACLs as part of normal operation
Enterprise deployment tools (SCCM, Intune) that use wscript //b or hidden PowerShell windows for silent software installation
Security software and AV solutions that set hidden/system attributes on quarantine directories
DevOps pipelines and CI/CD agents that create build artifacts with ADS zone identifiers or create scheduled tasks with non-default descriptors

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS UserName,
  QIDNAME(qid) AS EventName,
  "ProcessPath" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentProcessPath" AS ParentImage,
  CASE
    WHEN LOWER("CommandLine") MATCHES '.*attrib.*\+h.*|.*attrib.*\+s.*' THEN 'HiddenFileAttribute'
    WHEN LOWER("CommandLine") MATCHES '.*>[^:]+:[^\\/:*?"<>|\s]+.*' THEN 'NTFSAlternateDataStream'
    WHEN LOWER("CommandLine") MATCHES '.*-windowstyle\s+h.*|-w\s+hidden.*|.*sw_hide.*|.*/\/b\s.*' THEN 'HiddenWindowExecution'
    WHEN LOWER("CommandLine") MATCHES '.*/deny\s+(everyone|\*s-1-1-0|users|\*s-1-5-32-545).*' THEN 'FileAccessDeniedToHide'
    WHEN LOWER("TargetObject") MATCHES '.*\\schedule\\taskcache\\tree\\.*' THEN 'HiddenScheduledTaskSD'
    ELSE 'HideArtifactGeneric'
  END AS Signal
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (13, 14, 15, 65)  -- Windows Security, Sysmon
  AND categoryname(category) IN ('Application Activity', 'Access Control', 'Audit')
  AND (
    ("ProcessPath" IMATCHES '%\\attrib.exe' AND LOWER("CommandLine") MATCHES '.*\+h.*|.*\+s.*')
    OR
    ("ProcessPath" IMATCHES '%\\(cmd.exe|powershell.exe|pwsh.exe)'
      AND (LOWER("CommandLine") MATCHES '.*>[^:]+:[^\\/:*?"<>|]+.*'
           OR (LOWER("CommandLine") MATCHES '.*(set-content|out-file).*' AND LOWER("CommandLine") MATCHES '.*:[^\\]+.*')))
    OR
    (LOWER("CommandLine") MATCHES '.*(-windowstyle\s+hidden|-w\s+hidden|sw_hide|\/\/b\s|\/\/b$).*'
      AND "ProcessPath" NOT IMATCHES '%(explorer.exe|msiexec.exe|svchost.exe)')
    OR
    ("ProcessPath" IMATCHES '%(icacls.exe|cacls.exe)'
      AND LOWER("CommandLine") MATCHES '.*/deny\s+(everyone|\*s-1-1-0|users|\*s-1-5-32-545).*')
    OR
    (LOWER("TargetObject") MATCHES '.*\\schedule\\taskcache\\tree\\.*sd$'
      AND "EventType" = 'DeleteValue')
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (WinEventLog) Sysmon via Windows Event Log DSM

Required Tables

events (QRadar event pipeline)

False Positives

Enterprise patch management tools such as SCCM or Intune running PowerShell scripts with -WindowStyle Hidden to suppress UI during silent installations
Legitimate file encryption or rights management software that uses icacls.exe to set restrictive permissions on protected documents or key material
Development environments or build pipelines that create NTFS Alternate Data Streams to store build metadata, zone identifiers, or file integrity hashes

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*WinEventLog*)
| where EventCode in ("1", "13") OR EventID in ("1", "13", "4698", "4702")
| parse field=CommandLine "*" as cmd nodrop
| parse field=Image "*\\*" as _dir, ProcessName nodrop
| parse field=TargetObject "*\\Schedule\\TaskCache\\Tree\\*" as _pre, TaskPath nodrop
| eval cmd_lower = toLowerCase(cmd)
// Signal classification
| eval Signal =
    if (ProcessName = "attrib.exe" AND (cmd_lower matches "(?i).*\+h.*" OR cmd_lower matches "(?i).*\+s.*"),
        "HiddenFileAttribute",
    if (ProcessName in ("cmd.exe", "powershell.exe", "pwsh.exe") AND
        (cmd_lower matches ".*>[^:]+:[^\\/:*?\"<>|\\s]+.*"
         OR (cmd_lower matches ".*set-content.*" AND cmd_lower matches ".*:[^\\\\]+.*")
         OR (cmd_lower matches ".*out-file.*" AND cmd_lower matches ".*:[^\\\\]+.*")),
        "NTFSAlternateDataStream",
    if (cmd_lower matches "(?i).*-windowstyle\s+h.*|.*-w\s+hidden.*|.*sw_hide.*|\/\/b\s|\/\/b$"
        AND NOT ProcessName in ("explorer.exe", "msiexec.exe", "svchost.exe"),
        "HiddenWindowExecution",
    if (ProcessName in ("icacls.exe", "cacls.exe") AND
        cmd_lower matches "(?i).*/deny\s+(everyone|\*s-1-1-0|users|\*s-1-5-32-545).*",
        "FileAccessDeniedToHide",
    if (EventCode = "13" AND cmd_lower matches ".*\\schedule\\taskcache\\tree\\.*"
        AND EventType = "DeleteValue" AND TargetObject matches ".*\\SD$",
        "HiddenScheduledTaskSD",
    "Unknown")))))
| where Signal != "Unknown"
| count as SignalCount by host, User, Signal, ProcessName, cmd, _time
| timeslice 1h
| stats sum(SignalCount) as TotalSignals, values(Signal) as Signals, values(cmd) as Commands,
         min(_timeslice) as FirstSeen, max(_timeslice) as LastSeen by host, User
| where TotalSignals >= 1
| sort by TotalSignals desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Sysmon (via Sumo Logic Collector) Windows Security Event Log

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*WinEventLog*

False Positives

Help desk or IT support technicians running remote scripts with -WindowStyle Hidden flags as part of approved remote administration procedures
Antivirus or DLP software using attrib.exe to mark quarantine directories as hidden and system-protected to prevent user tampering
Software packaging tools (e.g., NSIS, WiX, Advanced Installer) that create NTFS ADS entries as part of installation manifests or publisher signing workflows

Google Chronicle / SecOps

yaral

rule T1564_HideArtifacts_MultiSignal {
  meta:
    name = "T1564 - Hide Artifacts Multi-Signal Detection"
    description = "Detects multiple artifact hiding techniques: attrib +h/+s, NTFS ADS creation, hidden window execution, file access denial, and Tarrask scheduled task SD deletion"
    author = "Argus Detection Engineering"
    mitre_attack = "T1564"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    (
      // Signal 1: attrib.exe setting hidden/system attributes
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i).*\\attrib\.exe$`)
        and re.regex($e.target.process.command_line, `(?i).*\+[hs].*`)
      )
      or
      // Signal 2: NTFS Alternate Data Streams via shell
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i).*\\(cmd|powershell|pwsh)\.exe$`)
        and (
          re.regex($e.target.process.command_line, `>[^:]+:[^\\/:\*\?"<>|\s]+`)
          or (
            re.regex($e.target.process.command_line, `(?i)(Set-Content|Out-File)`)
            and re.regex($e.target.process.command_line, `:[^\\]+`)
          )
        )
      )
      or
      // Signal 3: Hidden window execution flags
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.command_line, `(?i)(-WindowStyle\s+[Hh]|-w\s+hidden|SW_HIDE|\/\/[Bb]\s)`)
        and not re.regex($e.target.process.file.full_path, `(?i).*\\(explorer|msiexec|svchost)\.exe$`)
      )
      or
      // Signal 4: icacls/cacls used to deny access
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i).*\\(icacls|cacls)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)/deny\s+(Everyone|\*S-1-1-0|Users|\*S-1-5-32-545)`)
      )
      or
      // Signal 5: Scheduled task SD registry deletion (Tarrask)
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and re.regex($e.target.registry.registry_key, `(?i).*\\Schedule\\TaskCache\\Tree\\.*`)
        and $e.target.registry.registry_value_name = "SD"
        and $e.metadata.event_subtype = "REGISTRY_DELETION"
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint Detection (via Chronicle Forwarder) Microsoft Defender for Endpoint (via Chronicle integration) Sysmon via Chronicle Windows Event ingestion

Required Tables

UDM Events (process_launch, registry_modification) Chronicle Unified Data Model

False Positives

Enterprise configuration management using Group Policy or Intune that runs scripts with hidden window flags during system configuration and compliance enforcement
Legitimate system hardening scripts that use icacls.exe to restrict access on sensitive directories such as credential stores or certificate private key folders
Third-party software products that legitimately delete or recreate scheduled task SD values during updates or reconfiguration procedures

CrowdStrike LogScale (CQL)

cql

// T1564 — Hide Artifacts: Multi-signal detection across sub-techniques
// Signal 1: attrib.exe setting hidden or system file attributes
#event_simpleName=ProcessRollup2
| FileName = "attrib.exe"
| regex field=CommandLine "(?i)(\+h|\+s)"
| eval Signal="HiddenFileAttribute"
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, Signal])

// Signal 2: NTFS Alternate Data Streams via cmd/powershell
| union [
  #event_simpleName=ProcessRollup2
  | FileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
  | regex field=CommandLine ">[^:]+:[^\\/:\*\?\"<>|\s]+"
    OR (CommandLine = /(?i)(set-content|out-file)/ AND CommandLine = /:([^\\]+)/)
  | eval Signal="NTFSAlternateDataStream"
  | table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, Signal])
]

// Signal 3: Hidden window execution via PowerShell/scripting engines
| union [
  #event_simpleName=ProcessRollup2
  | FileName != "explorer.exe"
  | FileName != "msiexec.exe"
  | FileName != "svchost.exe"
  | regex field=CommandLine "(?i)(-WindowStyle\s+[Hh]|-w\s+hidden|SW_HIDE|//[Bb]\s)"
  | eval Signal="HiddenWindowExecution"
  | table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, Signal])
]

// Signal 4: icacls or cacls used to deny Everyone/Users file access
| union [
  #event_simpleName=ProcessRollup2
  | FileName in ("icacls.exe", "cacls.exe")
  | regex field=CommandLine "(?i)/deny\s+(Everyone|\*S-1-1-0|Users|\*S-1-5-32-545)"
  | eval Signal="FileAccessDeniedToHide"
  | table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, Signal])
]

// Signal 5: Scheduled task SD registry value deletion (Tarrask)
| union [
  #event_simpleName=RegValueDeleteValue
  | regex field=TargetObject "(?i).*\\Schedule\\TaskCache\\Tree\\.*"
  | TargetValueName = "SD"
  | eval Signal="HiddenScheduledTaskSD"
  | eval CommandLine=InitiatingProcessCommandLine
  | table([_time, ComputerName, UserName, InitiatingProcessFileName, CommandLine, TargetObject, Signal])
]

// Aggregate all signals
| groupBy([ComputerName, UserName], function=[
    count(as=TotalSignals),
    collect(Signal, as=AllSignals),
    collect(CommandLine, as=Commands),
    min(_time, as=FirstSeen),
    max(_time, as=LastSeen)
  ])
| TotalSignals >= 1
| sort(TotalSignals, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon LogScale (Humio) Falcon Insight XDR telemetry

Required Tables

ProcessRollup2 (Falcon process telemetry) RegValueDeleteValue (Falcon registry telemetry)

False Positives

Automated software deployment pipelines that invoke PowerShell with -WindowStyle Hidden to run installation or update scripts in the background without end-user interruption
Security operations tooling that uses attrib.exe to protect honeypot or canary files by marking them as hidden and system-protected
Endpoint privilege management solutions that use icacls.exe to enforce least-privilege access controls on sensitive directories as part of CIS hardening benchmarks

Last updated: 2026-04-21 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1564 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Hide Artifacts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (14)

Same Tactic: Defense Evasion

Popular Detections