Detect Hidden Files and Directories in Elastic Security
Adversaries may set files and directories to be hidden to evade detection mechanisms. On Windows, the attrib command can set the hidden (+h) and system (+s) attributes on files and directories. On Linux/macOS, files and directories prefixed with a period (.) are hidden by convention. Adversaries use these techniques to hide malware, persistence mechanisms, and staging directories from casual file system inspection. Malware families including QakBot, APT28, RedCurl, and XCSSET use hidden file/directory techniques for persistence and evasion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.001 Hidden Files and Directories
- Canonical reference
- https://attack.mitre.org/techniques/T1564/001/
Elastic Detection Query
sequence by host.name with maxspan=5m
[process where event.type == "start"
and process.name : "attrib.exe"
and (
process.args : "+h" or
process.args : "+s" or
process.args : "+r"
)
and (
process.args : ("*Temp*", "*AppData*", "*ProgramData*", "*Recycle*", "*Windows*")
or process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
)
] by process.entity_id
OR
process where event.type == "start"
and process.name : "attrib.exe"
and process.args : "+h"
and process.args : "+s"Detects use of attrib.exe to set hidden (+h), system (+s), or read-only (+r) attributes on files or directories, particularly when invoked from suspicious parent processes or targeting common staging paths used by malware (Temp, AppData, ProgramData, Recycle, Windows).
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers or package managers setting hidden attributes on configuration or cache files during normal installation
- System administrators running scripts that use attrib.exe to protect critical configuration files from accidental deletion
- Backup or imaging software that marks its staging directories as hidden and system to prevent interference
Other platforms for T1564.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide File Using attrib.exe
Expected signal: Sysmon Event ID 1: attrib.exe with +h +s and Temp path. Security Event ID 4688. Sysmon Event ID 2 (File Time Changed) or file attribute modification event for the hidden file.
- Test 2Hide Directory Using attrib.exe from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe then attrib.exe with +h +s AppData path. SuspiciousParent and SuspiciousTarget both fire. Directory creation event (Sysmon EventCode=11) for the staging directory.
- Test 3Create Hidden File on Linux with Dot Prefix
Expected signal: Linux audit log: file creation event for /tmp/.hidden_payload.sh. Syslog: if auditd is configured with file watch on /tmp, the create and chmod events will appear. The file does not appear in 'ls /tmp' without -a flag.
References (4)
- https://attack.mitre.org/techniques/T1564/001/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1564.001 including response playbook, investigation guide, and atomic red team tests.