Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0502: Detection Strategy for Hidden Artifacts Across Platforms

DET0502 is a MITRE ATT&CK detection strategy for finding hidden artifacts across platforms, tied to T1564 Hide Artifacts. The business significance is that...

EnterpriseDET0502Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0502 is a MITRE ATT&CK detection strategy for finding hidden artifacts across platforms, tied to T1564 Hide Artifacts. The business significance is that hidden files, directories, user accounts, administrative activity, or other concealed system activity can delay incident discovery and weaken confidence in audit evidence. Because the strategy object itself has no official description, detection text, platforms, or tactics, teams should treat it as a prompt to validate whether their environments can expose attempts to hide attacker activity, especially where T1564 is relevant: ESXi, Linux, macOS, and Office Suite contexts.

Executive priority

Prioritize this as a resilience and assurance question: can the organization prove that important security telemetry and administrative evidence cannot be easily hidden from the SOC or incident responders? Leaders should ask whether logging, endpoint visibility, cloud/virtualization administration records, and investigation procedures are sufficient to find concealed artifacts before they affect containment decisions, compliance evidence, or business continuity.

Technical view

For SOC, detection engineering, and IR teams, use the relationship to T1564 Hide Artifacts as the anchor. Validate visibility into concealed or abnormal files, directories, user accounts, and administrative/system activity on the related platforms listed by ATT&CK: ESXi, Linux, macOS, and Office Suite. Because DET0502 provides no official detection logic, teams should map local detections to T1564 behaviors and test whether standard triage workflows can reveal artifacts that are hidden by native operating system or application features.

Likely telemetry

  • Endpoint file and directory metadata, including hidden attributes and unusual locations
  • User and account inventory records, including unexpected or concealed accounts
  • Administrative task and system activity logs
  • Linux and macOS host logs relevant to file, account, and process/activity visibility
  • ESXi administrative and system logs where applicable

Detection direction

  • Confirm whether existing detections for T1564 cover hidden files, directories, accounts, and system activity rather than only obvious malware artifacts.
  • Tune detections around deviations from expected administrative behavior, while accounting for legitimate operating system and application features that intentionally hide system files or reduce user disruption.
  • Validate collection gaps on ESXi, Linux, macOS, and Office Suite environments if those platforms are in scope; the detection strategy object itself does not specify platforms, so coverage must be confirmed locally.
  • During investigations, require checks that compare normal user-facing views with authoritative logs, inventories, and security tooling views.
  • Document false-positive handling for legitimate hidden system files, managed administrative tasks, and expected application behavior.

Mitigation priorities

  • First, inventory where T1564-relevant platforms exist and identify which systems generate authoritative logs for files, accounts, administrative tasks, and system activity.
  • Next, ensure security tooling and logging policies preserve visibility into hidden or concealed artifacts rather than relying only on user-visible views.
  • Then, align SOC runbooks and incident response checklists to explicitly search for hidden artifacts during containment and scoping.
  • Finally, use detection validation exercises to produce evidence for control assurance, audit readiness, and detection engineering backlog prioritization.
Analyst notes and limits

The supplied ATT&CK detection strategy has no official description or detection content. The useful context comes from its relationship: DET0502 detects T1564 Hide Artifacts, a stealth technique involving abuse of operating system or application features to conceal files, directories, user accounts, or system activity. Treat this take as coverage-planning guidance rather than a MITRE-provided analytic specification.

No official DET0502 detection logic, tactic list, platform list, or description was supplied. Any concrete detection rules, severity, data source requirements, or platform-specific coverage decisions require local environment evidence and validation against the related T1564 technique context.

Official MITRE ATT&CK definition

Detection Strategy for Hidden Artifacts Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1564 Hide Artifacts This object detects Hide Artifacts.
Relationship explorer

All related ATT&CK context

detects · Technique T1564: Hide Artifacts Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9f4b043f77120194...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9f4b043f7712…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0502
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use