T1564.001 IBM QRadar · QRadar

Detect Hidden Files and Directories in IBM QRadar

Adversaries may set files and directories to be hidden to evade detection mechanisms. On Windows, the attrib command can set the hidden (+h) and system (+s) attributes on files and directories. On Linux/macOS, files and directories prefixed with a period (.) are hidden by convention. Adversaries use these techniques to hide malware, persistence mechanisms, and staging directories from casual file system inspection. Malware families including QakBot, APT28, RedCurl, and XCSSET use hidden file/directory techniques for persistence and evasion.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.001 Hidden Files and Directories
Canonical reference
https://attack.mitre.org/techniques/T1564/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Process Name",
  "Command",
  "Parent Process Name",
  CASE
    WHEN "Command" ILIKE '%+h%' THEN 1 ELSE 0
  END AS hidden_attr,
  CASE
    WHEN "Command" ILIKE '%+s%' THEN 1 ELSE 0
  END AS system_attr,
  CASE
    WHEN "Command" ILIKE '%Temp%'
      OR "Command" ILIKE '%AppData%'
      OR "Command" ILIKE '%ProgramData%'
      OR "Command" ILIKE '%Recycle%'
      OR "Command" ILIKE '%Windows%' THEN 1 ELSE 0
  END AS suspicious_target,
  CASE
    WHEN "Parent Process Name" ILIKE '%cmd.exe%'
      OR "Parent Process Name" ILIKE '%powershell.exe%'
      OR "Parent Process Name" ILIKE '%wscript.exe%'
      OR "Parent Process Name" ILIKE '%cscript.exe%' THEN 1 ELSE 0
  END AS suspicious_parent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    QIDNAME(qid) = 'Process Create'
    OR QIDNAME(qid) LIKE '%EventID 4688%'
    OR QIDNAME(qid) LIKE '%EventID 1%'
  )
  AND "Process Name" ILIKE '%attrib.exe%'
  AND (
    "Command" ILIKE '%+h%'
    OR "Command" ILIKE '%+s%'
    OR "Command" ILIKE '%+r%'
  )
  AND starttime > NOW() - 86400000
HAVING (hidden_attr + system_attr + suspicious_target + suspicious_parent) > 1
ORDER BY starttime DESC
medium severity medium confidence

QRadar AQL detection for attrib.exe invocations that set hidden, system, or read-only file attributes, scored by risk factors including suspicious target paths and parent process lineage. Risk score threshold filters noise from benign administrative use.

Data Sources

Windows Security Event Log (4688)Sysmon Event Log (Event ID 1)QRadar Windows DSM

Required Tables

events

False Positives & Tuning

  • Enterprise software deployment tools (SCCM, Intune) using attrib.exe to hide deployment artifacts during staging
  • Anti-virus or endpoint security products marking their own directories as hidden and system-protected
  • Legitimate scheduled tasks or IT scripts that set attributes on backup or log directories to prevent accidental modification
Download portable Sigma rule (.yml)

Other platforms for T1564.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hide File Using attrib.exe

    Expected signal: Sysmon Event ID 1: attrib.exe with +h +s and Temp path. Security Event ID 4688. Sysmon Event ID 2 (File Time Changed) or file attribute modification event for the hidden file.

  2. Test 2Hide Directory Using attrib.exe from PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe then attrib.exe with +h +s AppData path. SuspiciousParent and SuspiciousTarget both fire. Directory creation event (Sysmon EventCode=11) for the staging directory.

  3. Test 3Create Hidden File on Linux with Dot Prefix

    Expected signal: Linux audit log: file creation event for /tmp/.hidden_payload.sh. Syslog: if auditd is configured with file watch on /tmp, the create and chmod events will appear. The file does not appear in 'ls /tmp' without -a flag.

Last updated: 2026-04-21 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1564.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1547.001Registry Run Keys / Startup FolderT1036MasqueradingT1070.004File DeletionT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections