T1564.001
Hidden Files and Directories
Adversaries may set files and directories to be hidden to evade detection mechanisms. On Windows, the attrib command can set the hidden (+h) and system (+s) attributes on files and directories. On Linux/macOS, files and directories prefixed with a period (.) are hidden by convention. Adversaries use these techniques to hide malware, persistence mechanisms, and staging directories from casual file system inspection. Malware families including QakBot, APT28, RedCurl, and XCSSET use hidden file/directory techniques for persistence and evasion.
Microsoft Sentinel / Defender
kusto
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "attrib.exe"
| where ProcessCommandLine has "+h" or ProcessCommandLine has "+s" or ProcessCommandLine has "+r"
| extend HiddenAttr = ProcessCommandLine has "+h"
| extend SystemAttr = ProcessCommandLine has "+s"
| extend ReadOnly = ProcessCommandLine has "+r"
| extend SuspiciousTarget = ProcessCommandLine has_any ("Temp", "AppData", "ProgramData", "Recycle", "Windows")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
HiddenAttr, SystemAttr, ReadOnly, SuspiciousTarget, SuspiciousParent
| sort by Timestamp desc
union (
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileAttributesModified"
| where AdditionalFields has "Hidden"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, AdditionalFields
| sort by Timestamp desc
) medium severity
medium confidence
Data Sources
Process: Process Creation File: File Modification Command: Command Execution Microsoft Defender for Endpoint
Required Tables
DeviceProcessEvents DeviceFileEvents
False Positives
- System administrators using attrib.exe to hide configuration directories or sensitive files from user view
- Software installers that mark their data directories as hidden to prevent accidental user modification
- Windows system processes that legitimately set hidden/system attributes on operating system files and directories
- Backup software that marks shadow copy-related directories as hidden and system
Last updated: 2026-04-21 Research depth: deep
References (4)
- https://attack.mitre.org/techniques/T1564/001/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1564.001 including response playbook, investigation guide, and atomic red team tests.
Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Related Detections
Parent Technique
T1564Hide ArtifactsRelated Sub-techniques
T1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes