Detect Hidden Files and Directories in Google Chronicle
Adversaries may set files and directories to be hidden to evade detection mechanisms. On Windows, the attrib command can set the hidden (+h) and system (+s) attributes on files and directories. On Linux/macOS, files and directories prefixed with a period (.) are hidden by convention. Adversaries use these techniques to hide malware, persistence mechanisms, and staging directories from casual file system inspection. Malware families including QakBot, APT28, RedCurl, and XCSSET use hidden file/directory techniques for persistence and evasion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.001 Hidden Files and Directories
- Canonical reference
- https://attack.mitre.org/techniques/T1564/001/
YARA-L Detection Query
rule t1564_001_hidden_files_attrib {
meta:
author = "Argus Detection Engineering"
description = "Detects attrib.exe used to set hidden (+h), system (+s), or read-only (+r) attributes, especially targeting suspicious paths or launched from script interpreters — indicative of T1564.001 Hide Artifacts: Hidden Files and Directories"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1564.001"
severity = "MEDIUM"
confidence = "HIGH"
version = "1.0"
created = "2026-04-21"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.process.file.full_path = /attrib\.exe$/i
(
$e.principal.process.command_line = /\+h/i or
$e.principal.process.command_line = /\+s/i or
$e.principal.process.command_line = /\+r/i
)
(
$e.principal.process.command_line = /(Temp|AppData|ProgramData|Recycle|Windows)/i or
$e.principal.process.parent_process.file.full_path = /(cmd|powershell|wscript|cscript|mshta)\.exe$/i
)
$e.principal.hostname = $hostname
condition:
$e
}Chronicle YARA-L 2.0 rule detecting attrib.exe usage to hide or system-flag files and directories as part of T1564.001. Fires when the command line includes hidden/system/readonly attribute flags combined with suspicious target paths or parent processes indicative of scripted evasion activity.
Data Sources
Required Tables
False Positives & Tuning
- Group Policy or logon scripts executed by cmd.exe that set hidden attributes on roaming profile cache directories
- Legitimate antivirus software quarantine routines that use attrib.exe to hide quarantined file copies
- Windows system processes like TrustedInstaller managing hidden system files during patching or update operations
Other platforms for T1564.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide File Using attrib.exe
Expected signal: Sysmon Event ID 1: attrib.exe with +h +s and Temp path. Security Event ID 4688. Sysmon Event ID 2 (File Time Changed) or file attribute modification event for the hidden file.
- Test 2Hide Directory Using attrib.exe from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe then attrib.exe with +h +s AppData path. SuspiciousParent and SuspiciousTarget both fire. Directory creation event (Sysmon EventCode=11) for the staging directory.
- Test 3Create Hidden File on Linux with Dot Prefix
Expected signal: Linux audit log: file creation event for /tmp/.hidden_payload.sh. Syslog: if auditd is configured with file watch on /tmp, the create and chmod events will appear. The file does not appear in 'ls /tmp' without -a flag.
References (4)
- https://attack.mitre.org/techniques/T1564/001/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1564.001 including response playbook, investigation guide, and atomic red team tests.