iHash

News and How to's

Hunting with Elastic Security: Unmasking concealed artifacts with Elastic Stack insights

by Leave a Comment


Blog_Header_Image-_ELK_Hunting_Series-3-175401.jpg

Attackers thrive in the shadows, using MITRE ATT&CK® T1564 – Hide Artifacts to cloak their presence with hidden files, concealed processes, and manipulated registry keys. These stealth tactics allow adversaries to evade detection, persist undetected, and escalate their access — all while quietly exfiltrating data or disrupting operations.

Hunting with Elastic Security

Imagine files, processes, and even user accounts disappearing in your environment without a trace. Could an adversary be lurking, covering their tracks and evading detection? It’s time to sharpen your tools, hunt for these hidden threats, and expose what’s been left in the dark. Can you prove their presence, or will their artifacts remain unseen? The hunt begins now!

Understanding the technique

T1564 – Hide Artifacts is a technique within the MITRE ATT&CK framework, allowing adversaries to conceal their malicious activities, maintain persistence, and evade detection by defenders. This technique spans a range of sub-techniques, each designed to obscure files, processes, user accounts, or other elements within a system. By hiding their tracks, attackers can avoid triggering alerts and extend their dwell time in an environment, increasing the potential for damage.

Sub-techniques of T1564

  • Hidden Files and Directories (T1564.001): Adversaries may use system utilities or file attributes to hide files and directories critical to their operations.

  • Hidden Users (T1564.002): Attackers can create or modify user accounts, making them invisible to administrators or standard user enumeration methods.

  • NTFS File Attributes (T1564.004): NTFS alternate data streams are used to embed malicious content in files, effectively hiding it from plain sight.

  • Run Virtual Instance (T1564.006): Adversaries may use isolated virtual instances to execute malicious code without affecting the host system or triggering standard monitoring tools.

  • Email Hiding Rules (T1564.008): Attackers manipulate email client rules to redirect or hide email communications, preventing users from noticing key warnings or malicious messages.

This technique falls under the Defense Evasion (TA0005) tactic in the MITRE ATT&CK framework, highlighting its role in enabling attackers to bypass detection mechanisms. By hiding artifacts, adversaries ensure that defenders are either unaware of their presence or unable to identify and remediate malicious activities in time.

Failing to detect and respond to T1564 activities can have significant consequences for an organization’s security posture. Hidden files and processes may allow attackers to escalate privileges, exfiltrate sensitive data, or maintain control over compromised systems for extended periods. The resulting impact includes risks to confidentiality, as sensitive data could be accessed or stolen; integrity, as system modifications go unnoticed; and availability, as attackers may disrupt services without being detected.

Understanding Hide Artifacts is critical to building robust defenses. By shining a light on hidden activities, you can thwart attackers’ attempts to operate in the shadows and secure your environment against evolving threats.

Data sources to optimize the hunt

Detecting Hide Artifacts requires monitoring a wide range of data sources to uncover the stealthy techniques adversaries use to conceal their activities. By leveraging these data sources, you can identify suspicious behaviors, uncover hidden files and processes, and expose adversaries’ attempts to evade detection. Below, we summarize key data sources, what they detect, and recommended integrations that have been optimized for the Elastic Agent.

1. File monitoring

  • Detects: Hidden files and directories, changes to file attributes, and files with suspicious NTFS streams

  • Relevance: Critical for uncovering hidden or manipulated files used to conceal malicious activity

  • Elastic integration: Use File Integrity Monitoring or a different integration that collects logging information from a third party for file integrity monitoring and file access tracking

  • Required logging: Track file creation and modification events; enable NTFS alternate data stream monitoring on Windows systems

2. Process monitoring

  • Detects: Hidden processes or processes executing in virtualized instances

  • Relevance: Identifies processes attempting to evade detection or execute in isolated environments

  • Elastic integration: Use Elastic Endpoint Security, Windows Integration, or a different integration that collects logging information from a third party to monitor process creation events, command-line arguments, and anomalous behavior

  • Required logging: Enable process execution tracking (Event ID 4688 in Windows); enable logging for command-line arguments

3. Registry monitoring

  • Detects: Changes to registry keys used to hide files, directories, or processes, such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

  • Relevance: Identifies attempts to persist malicious artifacts through registry changes

  • Elastic integration: Use Elastic Endpoint Security or a different integration that collects logging information from a third party to detect suspicious changes or access

  • Required logging: Enable Registry Access Auditing (Event ID 4657)

4. User account monitoring

  • Detects: Creation or modification of hidden user accounts

  • Relevance: Exposes unauthorized user accounts created for stealthy access

  • Elastic integration: Use Elastic Endpoint Security or a different integration that collects logging information from a third party for capturing logs about user account activity

  • Required logging: Enable Audit User Account Management (Event ID 4720 – Account Creation, Event ID 4722 – Account Enabled)

5. Email logs

6. Memory forensics

  • Detects: Hidden processes, malicious code in isolated virtual instances, or processes evading termination

  • Relevance: Uncovers in-memory activity that evades standard file-based detection

  • Elastic integration: Use Elastic Endpoint Security, Windows Integration or a different integration that audits for memory analysis

  • Required logging: Requires memory snapshot analysis

7. Audit logs

  • Detects: Resource forking, access to hidden file systems, and other filesystem-level manipulations

  • Relevance: Identifies advanced methods of hiding artifacts, particularly on Unix-based systems

  • Elastic integration: Use auditd file access monitoring and audit logging

  • Required logging: Enable auditd on Linux systems for detailed file access logs

For more on auditd, check out Linux Detection Engineering with auditd from Elastic Security Labs. 

8. Network traffic logs

  • Detects: Use of alternative protocols or obfuscated traffic patterns that could indicate hidden activity

  • Relevance: Identifies potential data exfiltration or stealthy communications

  • Elastic integration: You have numerous integrations to choose from, including AWS, Azure Logs, Check Point, Cisco, Palo Alto (For a complete list of available out-of-the-box integrations, visit the Elastic Integrations page.)

  • Required logging: Enable DNS, HTTP, and custom protocol analysis

Threat hunting with ES|QL queries

To effectively hunt for adversaries leveraging T1564 – Hide Artifacts, we use a combination of Elastic Stack ES|QL queries and data from various sources such as file access logs, process execution logs, and command execution logs. These queries aim to uncover hidden files, processes, user accounts, and other artifacts that adversaries use to evade detection.

Query 1: Detect hidden files and directories (T1564.001)

FROM logs-*
| WHERE file.attributes == ("hidden", "system")
  AND NOT file.path == "/legitimate/system/path/*"
| KEEP file.path, file.attributes, user.name, host.name, @timestamp

Explanation: This query identifies files and directories with hidden or system attributes that fall outside known legitimate paths. Attackers often use these attributes to conceal malicious files and evade detection.

To determine what constitutes a “known legitimate path,” you should conduct an inventory of system-critical directories and paths commonly used by legitimate applications. For example:

  • Review configuration documentation for operating systems and applications to identify directories expected to contain hidden or system files.

  • You can use this query in your Elastic environment to identify directories that frequently contain hidden or system files.


FROM logs-*
| WHERE file.attributes IN ("hidden", "system")
| STATS count = count() BY file.directory
| SORT count DESC
| LIMIT 100

To modify the query to include multiple known legitimate paths, you can expand the condition by adding additional paths using the logical AND NOT IN operator or a list of paths. For instance:

FROM logs-*
| WHERE file.attributes IN ("hidden", "system")
  AND file.path NOT IN ("C:\\legitimate\\system\\path", "C:\\another\\legitimate\\path", "D:\\yet\\another\\path")
| KEEP file.path, file.attributes, user.name, host.name, @timestamp

Query 2: Monitor registry keys for persistence (T1564.002)

FROM logs-*
| WHERE registry.path == ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") AND registry.value != "legitimate_key"
| KEEP registry.path, registry.value, registry.key, user.name, host.name, @timestamp

Explanation: This query detects suspicious registry modifications where attackers may add hidden users or persistence mechanisms. Monitoring these keys is essential to identifying hidden artifact activities.

You can use a similar technique as explained in query 1 to help determine the values of “legitimate_key.” 

FROM logs-*
| WHERE registry.path == ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run")
| STATS count = count() BY registry.key
| SORT count DESC
| LIMIT 100

Query 3: Identify NTFS alternate data streams (T1564.004)

FROM logs-* 
| WHERE file.path == "*::$DATA" AND NOT file.path == "/known/good/paths" 
| KEEP file.path, file.attributes, user.name, host.name, @timestamp

Explanation: NTFS alternate data streams are used to hide malicious content within legitimate files. This query highlights any NTFS streams not within known legitimate paths.

You can use a similar technique as explained in query 1 to help determine the values of /known/good/paths.

FROM logs-*
| WHERE file.path LIKE "*::$DATA"
| STATS count = count() BY file.path
| SORT count DESC
| LIMIT 100

Query 4: Detect processes running in virtual instances (T1564.006)

FROM logs-*
| WHERE process.name IN ("vmcompute.exe", "VBoxService.exe")
  AND host.name NOT IN ("known_virtualized_host")
| KEEP process.name, host.name, user.name, @timestamp

Explanation: Attackers may execute malicious processes within virtual instances to evade detection. This query identifies suspicious virtual machine-related processes.

Query 5: Monitor Email Rules for Concealed Communications (T1564.008)

FROM logs-*
| WHERE event.category == "email"
| KEEP user.email, email.subject, email.direction, email.to, email.from, email.message_id, email.attachments.file.name, @timestamp
| SORT @timestamp DESC

Explanation: Attackers manipulate email traffic to evade detection, using deceptive subjects, unexpected senders, or suspicious attachments. This query helps identify unusual email activity by analyzing metadata like subject lines, recipients, and file attachments. Reviewing these patterns daily can help detect potential threats before they escalate.

Query 6: Identify resource forking (T1564.009)

FROM logs-*
| WHERE file.path LIKE "*:/*"
| KEEP file.path, user.name, host.name, @timestamp

Explanation: Resource forks are used to hide malicious data in file systems. This query identifies resource forks across filesystems.

Query 7: Detect processes ignoring termination signals (T1564.011)

FROM logs-*
| WHERE event.category == "process"
  AND event.type == "termination"
  AND process.executable != "" 
  AND process.exit_code == 0
| KEEP process.name, process.executable, process.exit_code, host.name, user.name, @timestamp

Explanation: Processes configured to ignore termination signals are often designed to evade manual or automated shutdown attempts. This query flags such behaviors.

Query 8: Identify hidden users on Linux systems

FROM logs-*
| WHERE user.name != "" 
  AND user.id >= 1000
  AND process.command_line NOT LIKE "*bash*"
  AND process.command_line NOT LIKE "*sh*"
| KEEP user.name, user.id, process.command_line, host.name, @timestamp

Explanation: Hidden users on Linux systems often have unusual shell paths or UID values. This query highlights potentially malicious user accounts.

Query 9: Detect hidden processes via parent-child relationships

FROM logs-*
| WHERE process.name == "svchost.exe"
  AND NOT process.parent.name == "services.exe"
| KEEP process.name, process.parent.name, user.name, host.name, @timestamp

Explanation: Attackers may hide processes by linking them to parent processes that are unusual or unexpected. This query flags such anomalies.

Query 10: Monitor file access in protected directories

FROM logs-*
| WHERE file.path IN ("/etc/shadow", "/etc/passwd")
  AND event.action == "access"
| KEEP file.path, user.name, host.name, @timestamp

Explanation: Attackers often target sensitive files in protected directories. This query detects unauthorized access attempts.

The key to strong security posture? Leave no stone unturned

The shadows in your network have been pushed aside, and what was once hidden has now been brought to light. From concealed files and processes to obscure registry keys — did you unmask the adversary’s tricks, or did your hunt confirm that the shadows were empty? With T1564 – Hide Artifacts in your crosshairs, your focus and detection skills have revealed the true nature of potential threats.

Whether you uncovered hidden dangers or validated your defenses, your proactive efforts have fortified your security posture. Every NTFS alternate data stream uncovered, every cloaked process revealed, and every hidden email rule dismantled strengthens your network. The risks of undetected artifacts are significant, but today, you’ve shown that a determined hunter leaves no stone unturned.

Was your network hiding an intruder, or can you confidently declare it secure? Either way, you’ve taken critical steps to limit attackers’ options. Remember, the tactics of concealment evolve, and staying ahead means continuous vigilance. Stay sharp, stay prepared, and keep hunting — because with Elastic, it’s always the right time to protect your network. Ready to take your threat hunting to the next level? Start a free Elastic Cloud trial today and bring light to the shadows before adversaries can hide in them!

The release and timing of any features or functionality described in this post remain at Elastic’s sole discretion. Any features or functionality not currently available may not be delivered on time or at all.



Source link

Reader Interactions

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.