T1564 Microsoft Sentinel · KQL

Detect Hide Artifacts in Microsoft Sentinel

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. Sub-techniques cover hidden files and directories, hidden users, hidden windows, NTFS alternate data streams, hidden file systems, virtual instance abuse, VBA stomping, email hiding rules, resource forking, process argument spoofing, and scheduled task SD registry deletion.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Canonical reference
https://attack.mitre.org/techniques/T1564/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1564 — Hide Artifacts: multi-signal detection across sub-techniques
// Signal 1: attrib command used to hide files or directories (T1564.001)
let HiddenFileAttrib = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "attrib.exe"
| where ProcessCommandLine has_any ("+h ", "+s ", "+h+s", "+s+h")
| extend Signal = "HiddenFileAttribute"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Signal 2: NTFS Alternate Data Streams written via cmd/powershell (T1564.004)
let ADSCreation = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| where ProcessCommandLine matches regex @">\s*[^\s:]+:[^\\/:*?""<>|\s]+"
       or ProcessCommandLine has "Set-Content" and ProcessCommandLine matches regex @"-Path\s+[^:]+:[^\s]+"
       or ProcessCommandLine has "Out-File" and ProcessCommandLine matches regex @"-FilePath\s+[^:]+:[^\s]+"
| extend Signal = "NTFSAlternateDataStream"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Signal 3: Scheduled task Security Descriptor (SD) registry value deletion (Tarrask — T1564)
let HiddenScheduledTask = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueDeleted"
| where RegistryKey has @"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree"
| where RegistryValueName =~ "SD"
| extend Signal = "HiddenScheduledTaskSD"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          FileName=InitiatingProcessFileName, ProcessCommandLine=InitiatingProcessCommandLine,
          RegistryKey, RegistryValueName,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Signal 4: Hidden window flag used in scripting (T1564.003)
let HiddenWindow = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden", "-WindowStyle h",
                                    "/windowstyle hidden", "SW_HIDE", "ShowWindow", "0x0 start")
| where FileName !in~ ("explorer.exe", "msiexec.exe", "svchost.exe")
| extend Signal = "HiddenWindowExecution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Signal 5: Windows API calls to hide window via wscript/cscript/mshta
let HiddenScriptWindow = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("//b ", "//B ", "CreateObject", "WScript.CreateObject")
| extend Signal = "HiddenScriptBatchMode"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Signal 6: icacls or cacls used to deny Everyone/Users access to hide files (T1564.001)
let AccessDenialToHide = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("icacls.exe", "cacls.exe", "takeown.exe")
| where ProcessCommandLine has_any ("/deny Everyone", "/deny *S-1-1-0", "/deny Users", "/deny *S-1-5-32-545")
| extend Signal = "FileAccessDeniedToHide"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// Union all signals
union HiddenFileAttrib, ADSCreation, HiddenScheduledTask, HiddenWindow, HiddenScriptWindow, AccessDenialToHide
| sort by Timestamp desc
high severity high confidence

Multi-signal detection for T1564 Hide Artifacts across the most commonly observed sub-techniques. Detects: (1) attrib.exe setting hidden/system file attributes; (2) NTFS Alternate Data Stream creation via cmd or PowerShell redirection syntax; (3) Scheduled task Security Descriptor registry value deletion — the Tarrask technique that makes tasks invisible to schtasks and Task Scheduler UI; (4) hidden window execution flags in process command lines; (5) wscript/cscript batch mode (//b) used to suppress windows; (6) icacls used to deny access to files, obscuring them from normal users. Uses DeviceProcessEvents and DeviceRegistryEvents from Microsoft Defender for Endpoint.

Data Sources

Process: Process CreationCommand: Command ExecutionWindows Registry: Windows Registry Key DeletionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceRegistryEvents

False Positives & Tuning

  • System administrators using attrib.exe to mark backup or configuration files as hidden/system to prevent accidental deletion
  • Software installers and package managers that legitimately set hidden attributes on their program files during installation
  • Legitimate security or monitoring tools that use hidden windows (wscript //b, mshta) for background polling and scheduled checks
  • Enterprise backup solutions (Veeam, Commvault) that manipulate NTFS attributes and ACLs as part of their backup and restore operations
  • Development tools (Visual Studio, Node.js) that create NTFS Alternate Data Streams as part of zone identifier or metadata tracking
Download portable Sigma rule (.yml)

Other platforms for T1564

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hide File Using Attrib Command

    Expected signal: Sysmon Event ID 1: Process Create for attrib.exe with CommandLine '+h +s %TEMP%\t1564-test.txt'. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE: FileName=attrib.exe, ProcessCommandLine contains '+h' and '+s'. The 'dir' command at the end will show no file — confirming hiding worked.

  2. Test 2Write Payload to NTFS Alternate Data Stream

    Expected signal: Sysmon Event ID 15 (FileCreateStreamHash): TargetFilename='%TEMP%\t1564-ads-test.txt:hidden_payload.ps1', Hash of stream content. Sysmon Event ID 1: cmd.exe process create with redirect operator and colon-delimited stream path in CommandLine. DeviceFileEvents in MDE: ActionType=FileCreated with stream notation in FileName. The 'dir /r' output will show both the main file and ':hidden_payload.ps1:$DATA' confirming ADS creation.

  3. Test 3Delete Scheduled Task Security Descriptor to Hide Task (Tarrask Technique)

    Expected signal: Sysmon Event ID 13 (RegistryEvent - Value Delete): TargetObject='HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\T1564-HiddenTask\SD', EventType='DeleteValue', Image='reg.exe'. Security Event ID 4698 (scheduled task created) for the initial schtasks /create. Security Event ID 4699 will NOT fire for the SD deletion — only the Sysmon registry event captures this. DeviceRegistryEvents in MDE: ActionType=RegistryValueDeleted, RegistryKey contains 'TaskCache\Tree', RegistryValueName='SD'.

  4. Test 4Hide Script Execution Using Wscript Batch Mode (Hidden Window)

    Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with CommandLine '//b //nologo %TEMP%\t1564-hidden.vbs'. ParentImage will be cmd.exe (from the atomic test) but in real attacks is often outlook.exe, explorer.exe, or mshta.exe. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE: FileName=wscript.exe, ProcessCommandLine contains '//b'. No console window or UI appears on the desktop.

  5. Test 5Linux Hidden File and Directory Creation

    Expected signal: Auditd syscall events: execve for mkdir, echo/tee, chmod with dotfile paths. Syslog/auditd: SYSCALL records with comm='mkdir' and a0 pointing to path starting with dot. Linux process creation events in Sysmon for Linux (if deployed): Image=/bin/mkdir, CommandLine contains '.t1564-hidden-dir'. The first ls command returns no output (directory is hidden), the second ls -la shows it — confirming the hiding behavior.

Last updated: 2026-04-21 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1564 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (14)

Related Techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1053.005Scheduled TaskT1027Obfuscated Files or InformationT1070Indicator RemovalT1070.004File DeletionT1136Create AccountT1547.001Registry Run Keys / Startup FolderT1218System Binary Proxy Execution

Same Tactic: Defense Evasion

Popular Detections