Detect Hidden Files and Directories in CrowdStrike LogScale
Adversaries may set files and directories to be hidden to evade detection mechanisms. On Windows, the attrib command can set the hidden (+h) and system (+s) attributes on files and directories. On Linux/macOS, files and directories prefixed with a period (.) are hidden by convention. Adversaries use these techniques to hide malware, persistence mechanisms, and staging directories from casual file system inspection. Malware families including QakBot, APT28, RedCurl, and XCSSET use hidden file/directory techniques for persistence and evasion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.001 Hidden Files and Directories
- Canonical reference
- https://attack.mitre.org/techniques/T1564/001/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /attrib\.exe$/i
| CommandLine = /\+[hHsS]/
| eval HiddenAttr = if(CommandLine = /\+h/i, 1, 0)
| eval SystemAttr = if(CommandLine = /\+s/i, 1, 0)
| eval SuspiciousTarget = if(CommandLine = /(Temp|AppData|ProgramData|Recycle|Windows)/i, 1, 0)
| eval SuspiciousParent = if(ParentBaseFileName = /(cmd|powershell|wscript|cscript|mshta)\.exe$/i, 1, 0)
| eval RiskScore = HiddenAttr + SystemAttr + SuspiciousTarget + SuspiciousParent
| RiskScore > 1
| groupBy([ComputerName, UserName, CommandLine, ParentBaseFileName], function=[
max(RiskScore, as=MaxRisk),
max(HiddenAttr, as=HiddenAttr),
max(SystemAttr, as=SystemAttr),
max(SuspiciousTarget, as=SuspiciousTarget),
max(SuspiciousParent, as=SuspiciousParent),
count(as=EventCount)
])
| sort(MaxRisk, order=desc)CrowdStrike LogScale CQL detection for attrib.exe invocations that apply hidden or system attributes to files and directories. Uses a risk scoring model across attribute type, target path sensitivity, and parent process context to surface likely malicious activity while suppressing routine use.
Data Sources
Required Tables
False Positives & Tuning
- Endpoint management tools or deployment scripts setting hidden attributes on agent working directories to protect operational files
- Third-party backup clients hiding their local cache directories using attrib.exe as part of a normal install routine
- Developer environment setup scripts (e.g., dotfile bootstrap scripts, WSL configuration) that mark configuration directories as hidden
Other platforms for T1564.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide File Using attrib.exe
Expected signal: Sysmon Event ID 1: attrib.exe with +h +s and Temp path. Security Event ID 4688. Sysmon Event ID 2 (File Time Changed) or file attribute modification event for the hidden file.
- Test 2Hide Directory Using attrib.exe from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe then attrib.exe with +h +s AppData path. SuspiciousParent and SuspiciousTarget both fire. Directory creation event (Sysmon EventCode=11) for the staging directory.
- Test 3Create Hidden File on Linux with Dot Prefix
Expected signal: Linux audit log: file creation event for /tmp/.hidden_payload.sh. Syslog: if auditd is configured with file watch on /tmp, the create and chmod events will appear. The file does not appear in 'ls /tmp' without -a flag.
References (4)
- https://attack.mitre.org/techniques/T1564/001/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1564.001 including response playbook, investigation guide, and atomic red team tests.