Detect Hide Artifacts in Sumo Logic CSE
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. Sub-techniques cover hidden files and directories, hidden users, hidden windows, NTFS alternate data streams, hidden file systems, virtual instance abuse, VBA stomping, email hiding rules, resource forking, process argument spoofing, and scheduled task SD registry deletion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Canonical reference
- https://attack.mitre.org/techniques/T1564/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*WinEventLog*)
| where EventCode in ("1", "13") OR EventID in ("1", "13", "4698", "4702")
| parse field=CommandLine "*" as cmd nodrop
| parse field=Image "*\\*" as _dir, ProcessName nodrop
| parse field=TargetObject "*\\Schedule\\TaskCache\\Tree\\*" as _pre, TaskPath nodrop
| eval cmd_lower = toLowerCase(cmd)
// Signal classification
| eval Signal =
if (ProcessName = "attrib.exe" AND (cmd_lower matches "(?i).*\+h.*" OR cmd_lower matches "(?i).*\+s.*"),
"HiddenFileAttribute",
if (ProcessName in ("cmd.exe", "powershell.exe", "pwsh.exe") AND
(cmd_lower matches ".*>[^:]+:[^\\/:*?\"<>|\\s]+.*"
OR (cmd_lower matches ".*set-content.*" AND cmd_lower matches ".*:[^\\\\]+.*")
OR (cmd_lower matches ".*out-file.*" AND cmd_lower matches ".*:[^\\\\]+.*")),
"NTFSAlternateDataStream",
if (cmd_lower matches "(?i).*-windowstyle\s+h.*|.*-w\s+hidden.*|.*sw_hide.*|\/\/b\s|\/\/b$"
AND NOT ProcessName in ("explorer.exe", "msiexec.exe", "svchost.exe"),
"HiddenWindowExecution",
if (ProcessName in ("icacls.exe", "cacls.exe") AND
cmd_lower matches "(?i).*/deny\s+(everyone|\*s-1-1-0|users|\*s-1-5-32-545).*",
"FileAccessDeniedToHide",
if (EventCode = "13" AND cmd_lower matches ".*\\schedule\\taskcache\\tree\\.*"
AND EventType = "DeleteValue" AND TargetObject matches ".*\\SD$",
"HiddenScheduledTaskSD",
"Unknown")))))
| where Signal != "Unknown"
| count as SignalCount by host, User, Signal, ProcessName, cmd, _time
| timeslice 1h
| stats sum(SignalCount) as TotalSignals, values(Signal) as Signals, values(cmd) as Commands,
min(_timeslice) as FirstSeen, max(_timeslice) as LastSeen by host, User
| where TotalSignals >= 1
| sort by TotalSignals descSumo Logic multi-signal query for T1564 Hide Artifacts detection. Parses Windows Sysmon process and registry events to detect hidden file attribute assignment, NTFS ADS writes, hidden window execution, file access denial, and Tarrask malware-style scheduled task SD deletion. Aggregates by host and user for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Help desk or IT support technicians running remote scripts with -WindowStyle Hidden flags as part of approved remote administration procedures
- Antivirus or DLP software using attrib.exe to mark quarantine directories as hidden and system-protected to prevent user tampering
- Software packaging tools (e.g., NSIS, WiX, Advanced Installer) that create NTFS ADS entries as part of installation manifests or publisher signing workflows
Other platforms for T1564
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide File Using Attrib Command
Expected signal: Sysmon Event ID 1: Process Create for attrib.exe with CommandLine '+h +s %TEMP%\t1564-test.txt'. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE: FileName=attrib.exe, ProcessCommandLine contains '+h' and '+s'. The 'dir' command at the end will show no file — confirming hiding worked.
- Test 2Write Payload to NTFS Alternate Data Stream
Expected signal: Sysmon Event ID 15 (FileCreateStreamHash): TargetFilename='%TEMP%\t1564-ads-test.txt:hidden_payload.ps1', Hash of stream content. Sysmon Event ID 1: cmd.exe process create with redirect operator and colon-delimited stream path in CommandLine. DeviceFileEvents in MDE: ActionType=FileCreated with stream notation in FileName. The 'dir /r' output will show both the main file and ':hidden_payload.ps1:$DATA' confirming ADS creation.
- Test 3Delete Scheduled Task Security Descriptor to Hide Task (Tarrask Technique)
Expected signal: Sysmon Event ID 13 (RegistryEvent - Value Delete): TargetObject='HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\T1564-HiddenTask\SD', EventType='DeleteValue', Image='reg.exe'. Security Event ID 4698 (scheduled task created) for the initial schtasks /create. Security Event ID 4699 will NOT fire for the SD deletion — only the Sysmon registry event captures this. DeviceRegistryEvents in MDE: ActionType=RegistryValueDeleted, RegistryKey contains 'TaskCache\Tree', RegistryValueName='SD'.
- Test 4Hide Script Execution Using Wscript Batch Mode (Hidden Window)
Expected signal: Sysmon Event ID 1: Process Create for wscript.exe with CommandLine '//b //nologo %TEMP%\t1564-hidden.vbs'. ParentImage will be cmd.exe (from the atomic test) but in real attacks is often outlook.exe, explorer.exe, or mshta.exe. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE: FileName=wscript.exe, ProcessCommandLine contains '//b'. No console window or UI appears on the desktop.
- Test 5Linux Hidden File and Directory Creation
Expected signal: Auditd syscall events: execve for mkdir, echo/tee, chmod with dotfile paths. Syslog/auditd: SYSCALL records with comm='mkdir' and a0 pointing to path starting with dot. Linux process creation events in Sysmon for Linux (if deployed): Image=/bin/mkdir, CommandLine contains '.t1564-hidden-dir'. The first ls command returns no output (directory is hidden), the second ls -la shows it — confirming the hiding behavior.
References (13)
- https://attack.mitre.org/techniques/T1564/
- https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
- https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
- https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
- https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf
- https://learn.microsoft.com/en-us/sysinternals/downloads/streams
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/attrib
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.secureworks.com/research/darktortilla-malware-analysis
- https://www.checkpoint.com/downloads/products/warzone-whitepaper.pdf
- https://www.sentinelone.com/labs/shlayer-to-zshlayer-macos-malware-evolution/
Unlock Pro Content
Get the full detection package for T1564 including response playbook, investigation guide, and atomic red team tests.
Related Detections
Sub-techniques (14)
- T1564.001Hidden Files and Directories
- T1564.002Hidden Users
- T1564.003Hidden Window
- T1564.004NTFS File Attributes
- T1564.005Hidden File System
- T1564.006Run Virtual Instance
- T1564.007VBA Stomping
- T1564.008Email Hiding Rules
- T1564.009Resource Forking
- T1564.010Process Argument Spoofing
- T1564.011Ignore Process Interrupts
- T1564.012File/Path Exclusions
- T1564.013Bind Mounts
- T1564.014Extended Attributes