title: Hide Artifacts (T1564)
id: df00tech-t1564
status: experimental
description: "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection. Sub-techniques cover hidden files and directories, hidden users, hidden windows, NTFS alternate data streams, hidden file systems, virtual instance abuse, VBA stomping, email hiding rules, resource forking, process argument spoofing, and scheduled task SD registry deletion."
references:
  - https://attack.mitre.org/techniques/T1564/
  - https://df00tech.com/detections/T1564
author: df00tech
date: 2026/04/21
tags:
  - attack.t1564
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators using attrib.exe to mark backup or configuration files as hidden/system to prevent accidental deletion
  - Software installers and package managers that legitimately set hidden attributes on their program files during installation
  - "Legitimate security or monitoring tools that use hidden windows (wscript //b, mshta) for background polling and scheduled checks"
  - "Enterprise backup solutions (Veeam, Commvault) that manipulate NTFS attributes and ACLs as part of their backup and restore operations"
  - "Development tools (Visual Studio, Node.js) that create NTFS Alternate Data Streams as part of zone identifier or metadata tracking"
level: high