隐藏伪装

Sub-techniques (4)

ID	Name
T1564.001	文件系统流隐藏
T1564.002	进程内存驻留伪装
T1564.003	虚拟化沙箱逃逸
T1564.004	元数据时间戳篡改

隐藏伪装指攻击者通过操纵系统资源或环境特性来掩盖恶意行为痕迹的技术手段，其核心目标是规避安全检测与取证分析。该技术涵盖文件隐藏、进程伪装、虚拟化隔离等多种实现方式，常被用于持久化控制、横向移动等攻击阶段。传统防御措施主要依赖文件完整性监控、进程行为分析和元数据校验等手段，通过检测异常资源访问模式或属性变更来识别隐匿行为。

为对抗日益完善的检测体系，攻击者发展出多层嵌套的隐蔽技术体系，通过文件系统特性滥用、内存操作优化、虚拟化环境感知等创新手法，构建出"无文件、无进程、无痕迹"的新型隐匿范式。这些技术突破传统存储介质与运行环境的约束，实现攻击痕迹的多维度消隐。

现有隐藏伪装匿迹技术的共性特征体现在三个层面：在存储维度，突破文件系统表层结构，利用数据流、内存页、注册表项等非标区域构建隐蔽存储空间；在运行维度，通过上下文劫持、环境伪装等技术将恶意代码融入合法进程或系统服务；在时间维度，采用时间线混淆、日志注入等手段破坏事件取证的可追溯性。具体而言，文件系统流隐藏技术重新定义了恶意文件的存储范式，将攻击载荷深度绑定系统合法对象；进程内存驻留伪装创新了代码执行模式，实现运行时痕迹的最小化留存；虚拟化沙箱逃逸技术构建了环境感知的动态对抗能力；元数据时间戳篡改则颠覆了传统取证分析的时序基础。这些技术的协同应用，使得攻击痕迹呈现"物理存储不可见、运行过程不可察、时间线索不可信"的三重隐匿特性。

ID: T1564

Sub-techniques: T1564.001, T1564.002, T1564.003, T1564.004

ⓘ

Tactic: 防御规避

ⓘ

Platforms: Linux, Office Suite, Windows, macOS

Version: 1.3

Created: 26 February 2020

Last Modified: 15 October 2024

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	✅
数据遮蔽	✅
时空释痕	✅

特征伪装

攻击者通过文件属性伪装和进程上下文劫持，使恶意对象呈现合法特征。例如将恶意文件隐藏在系统目录结构深层、仿冒系统服务名称创建进程，或修改注册表键值匹配合法配置模式。这些手法使得恶意对象在表面特征层面与正常系统组件高度相似，规避基于命名规则或路径特征的检测。

行为透明

利用虚拟化隔离技术创建独立于宿主系统的执行环境，使安全监控工具无法感知隔离域内的恶意操作。通过硬件辅助虚拟化构建的隐蔽通道，攻击者可在不触发系统告警的前提下实施敏感操作，形成"观测盲区"。

数据遮蔽

采用加密存储和内存动态解密技术，确保恶意载荷仅在运行时显形。通过NTFS加密数据流、BitLocker加密容器或自定义内存加密协议，保护攻击数据在静态存储和网络传输过程中的机密性。

时空释痕

通过时间戳篡改和日志注入，破坏攻击事件的时间关联性。攻击者构造跨时区的时间标记或插入伪造的日志条目，使得防御方难以准确还原攻击时间线，同时利用持久化机制将攻击周期延长至数月，稀释单次行为的检测概率。

Procedure Examples

ID	Name	Description
S0482	Bundlore	Bundlore uses the `mktemp` utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x.^[1]
S1066	DarkTortilla	DarkTortilla has used `%HiddenReg%` and `%HiddenKey%` as part of its persistence via the Windows registry.^[2]
S0402	OSX/Shlayer	OSX/Shlayer has used the `mktemp` utility to make random and unique filenames for payloads, such as `export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)"` or `mktemp -t Installer`.^[3]^[1]^[4]
S1011	Tarrask	Tarrask is able to create "hidden" scheduled tasks by deleting the Security Descriptor (`SD`) registry value.^[5]
S0670	WarzoneRAT	WarzoneRAT can masquerade the Process Environment Block on a compromised host to hide its attempts to elevate privileges through `IFileOperation`.^[6]

Mitigations

ID	Mitigation	Description
M1049	Antivirus/Antimalware	Review and audit file/folder exclusions, and limit scope of exclusions to only what is required where possible.^[7]
M1013	Application Developer Guidance	Application developers should consider limiting the requirements for custom or otherwise difficult to manage file/folder exclusions. Where possible, install applications to trusted system folder paths that are already protected by restricted file and directory permissions.
M1033	Limit Software Installation	Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it.

Detection

ID	Data Source	Data Component	Detects
DS0015	Application Log	Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts that may attempt to hide artifacts associated with their behaviors to evade detection.
DS0017	Command	Command Execution	Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection.
DS0022	File	File Creation	Monitor for newly constructed files that may attempt to hide artifacts associated with their behaviors to evade detection.
		File Metadata	Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions that may attempt to hide artifacts associated with their behaviors to evade detection.
		File Modification	Monitor for changes made to files that may attempt to hide artifacts associated with their behaviors to evade detection.
DS0001	Firmware	Firmware Modification	Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may attempt to hide artifacts associated with their behaviors to evade detection.
DS0009	Process	OS API Execution	Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection.
		Process Creation	Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection.
DS0012	Script	Script Execution	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
DS0019	Service	Service Creation	Monitor for newly constructed services/daemons that may attempt to hide artifacts associated with their behaviors to evade detection.
DS0002	User Account	User Account Creation	Monitor for newly constructed user accounts that may attempt to hide artifacts associated with their behaviors to evade detection.
		User Account Metadata	Monitor for contextual data about an account, which may include a username, user ID, environmental data that may attempt to hide artifacts associated with their behaviors to evade detection.
DS0024	Windows Registry	Windows Registry Key Modification	Monitor for changes made to windows registry keys and/or values that may attempt to hide artifacts associated with their behaviors to evade detection.