T1564.001 Microsoft Sentinel · KQL

Detect Hidden Files and Directories in Microsoft Sentinel

Adversaries may set files and directories to be hidden to evade detection mechanisms. On Windows, the attrib command can set the hidden (+h) and system (+s) attributes on files and directories. On Linux/macOS, files and directories prefixed with a period (.) are hidden by convention. Adversaries use these techniques to hide malware, persistence mechanisms, and staging directories from casual file system inspection. Malware families including QakBot, APT28, RedCurl, and XCSSET use hidden file/directory techniques for persistence and evasion.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.001 Hidden Files and Directories
Canonical reference
https://attack.mitre.org/techniques/T1564/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "attrib.exe"
| where ProcessCommandLine has "+h" or ProcessCommandLine has "+s" or ProcessCommandLine has "+r"
| extend HiddenAttr = ProcessCommandLine has "+h"
| extend SystemAttr = ProcessCommandLine has "+s"
| extend ReadOnly = ProcessCommandLine has "+r"
| extend SuspiciousTarget = ProcessCommandLine has_any ("Temp", "AppData", "ProgramData", "Recycle", "Windows")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         HiddenAttr, SystemAttr, ReadOnly, SuspiciousTarget, SuspiciousParent
| sort by Timestamp desc
union (
  DeviceFileEvents
  | where Timestamp > ago(24h)
  | where ActionType == "FileAttributesModified"
  | where AdditionalFields has "Hidden"
  | project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, AdditionalFields
  | sort by Timestamp desc
)
medium severity medium confidence

Detects hidden file/directory creation via attrib.exe on Windows, and file attribute modification events that set the Hidden attribute. Focuses on attrib.exe usage with +h/+s flags against user-writable directories and suspicious parent processes like scripting engines.

Data Sources

Process: Process CreationFile: File ModificationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • System administrators using attrib.exe to hide configuration directories or sensitive files from user view
  • Software installers that mark their data directories as hidden to prevent accidental user modification
  • Windows system processes that legitimately set hidden/system attributes on operating system files and directories
  • Backup software that marks shadow copy-related directories as hidden and system
Download portable Sigma rule (.yml)

Other platforms for T1564.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hide File Using attrib.exe

    Expected signal: Sysmon Event ID 1: attrib.exe with +h +s and Temp path. Security Event ID 4688. Sysmon Event ID 2 (File Time Changed) or file attribute modification event for the hidden file.

  2. Test 2Hide Directory Using attrib.exe from PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe then attrib.exe with +h +s AppData path. SuspiciousParent and SuspiciousTarget both fire. Directory creation event (Sysmon EventCode=11) for the staging directory.

  3. Test 3Create Hidden File on Linux with Dot Prefix

    Expected signal: Linux audit log: file creation event for /tmp/.hidden_payload.sh. Syslog: if auditd is configured with file watch on /tmp, the create and chmod events will appear. The file does not appear in 'ls /tmp' without -a flag.

Last updated: 2026-04-21 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1564.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1547.001Registry Run Keys / Startup FolderT1036MasqueradingT1070.004File DeletionT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections