MITRE ATT&CK Technique
Description
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-26T17:41:25.933Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to hide artifacts associated with '
'their behaviors to evade detection. Operating systems may '
'have features to hide various artifacts, such as important '
'system files and administrative task execution, to avoid '
'disrupting user work environments and prevent users from '
'changing files or features on the system. Adversaries may '
'abuse these features to hide artifacts such as files, '
'directories, user accounts, or other system activity to evade '
'detection.(Citation: Sofacy Komplex Trojan)(Citation: '
'Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n'
'\n'
'Adversaries may also attempt to hide artifacts associated '
'with malicious behavior by creating computing regions that '
'are isolated from common security instrumentation, such as '
'through the use of virtualization technology.(Citation: '
'Sophos Ragnar May 2020)',
'external_references': [{'external_id': 'T1564',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1564'},
{'description': 'Amit Serper. (2016). Cybereason Lab '
'Analysis OSX.Pirrit. Retrieved '
'December 10, 2021.',
'source_name': 'Cybereason OSX Pirrit',
'url': 'https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf'},
{'description': 'Arntz, P. (2015, July 22). '
'Introduction to Alternate Data '
'Streams. Retrieved March 21, 2018.',
'source_name': 'MalwareBytes ADS July 2015',
'url': 'https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/'},
{'description': 'Dani Creus, Tyler Halfpop, Robert '
'Falcone. (2016, September 26). '
"Sofacy's 'Komplex' OS X Trojan. "
'Retrieved July 8, 2017.',
'source_name': 'Sofacy Komplex Trojan',
'url': 'https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/'},
{'description': 'SophosLabs. (2020, May 21). Ragnar '
'Locker ransomware deploys virtual '
'machine to dodge security. Retrieved '
'June 29, 2020.',
'source_name': 'Sophos Ragnar May 2020',
'url': 'https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/'}],
'id': 'attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:31.407Z',
'name': 'Hide Artifacts',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'Office Suite', 'Windows', 'macOS', 'ESXi'],
'x_mitre_version': '1.4'}