Detect Hidden Files and Directories in Splunk
Adversaries may set files and directories to be hidden to evade detection mechanisms. On Windows, the attrib command can set the hidden (+h) and system (+s) attributes on files and directories. On Linux/macOS, files and directories prefixed with a period (.) are hidden by convention. Adversaries use these techniques to hide malware, persistence mechanisms, and staging directories from casual file system inspection. Malware families including QakBot, APT28, RedCurl, and XCSSET use hidden file/directory techniques for persistence and evasion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.001 Hidden Files and Directories
- Canonical reference
- https://attack.mitre.org/techniques/T1564/001/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
Image="*\\attrib.exe"
| eval HiddenAttr=if(match(CommandLine, "\+h"), 1, 0)
| eval SystemAttr=if(match(CommandLine, "\+s"), 1, 0)
| eval SuspiciousTarget=if(match(CommandLine, "(Temp|AppData|ProgramData|Recycle|Windows\\System)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript)\.exe"), 1, 0)
| eval RiskScore=HiddenAttr + SystemAttr + SuspiciousTarget + SuspiciousParent
| where RiskScore > 1
| table _time, host, User, CommandLine, ParentImage, HiddenAttr, SystemAttr, SuspiciousTarget, SuspiciousParent, RiskScore
| sort - _timeDetects attrib.exe setting hidden and system attributes on Windows using Sysmon Event ID 1. Requires risk score > 1 to reduce noise from legitimate system operations. Combination of hidden attribute with suspicious paths or scripting parents is highly suspicious.
Data Sources
Required Sourcetypes
False Positives & Tuning
- System administrators using attrib.exe for legitimate file management
- Software installers marking data directories as hidden
- Windows system processes setting hidden/system attributes on OS files
- Backup software operations on shadow copy directories
Other platforms for T1564.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide File Using attrib.exe
Expected signal: Sysmon Event ID 1: attrib.exe with +h +s and Temp path. Security Event ID 4688. Sysmon Event ID 2 (File Time Changed) or file attribute modification event for the hidden file.
- Test 2Hide Directory Using attrib.exe from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe then attrib.exe with +h +s AppData path. SuspiciousParent and SuspiciousTarget both fire. Directory creation event (Sysmon EventCode=11) for the staging directory.
- Test 3Create Hidden File on Linux with Dot Prefix
Expected signal: Linux audit log: file creation event for /tmp/.hidden_payload.sh. Syslog: if auditd is configured with file watch on /tmp, the create and chmod events will appear. The file does not appear in 'ls /tmp' without -a flag.
References (4)
- https://attack.mitre.org/techniques/T1564/001/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1564.001 including response playbook, investigation guide, and atomic red team tests.