Detect Hidden Files and Directories in Sumo Logic CSE
Adversaries may set files and directories to be hidden to evade detection mechanisms. On Windows, the attrib command can set the hidden (+h) and system (+s) attributes on files and directories. On Linux/macOS, files and directories prefixed with a period (.) are hidden by convention. Adversaries use these techniques to hide malware, persistence mechanisms, and staging directories from casual file system inspection. Malware families including QakBot, APT28, RedCurl, and XCSSET use hidden file/directory techniques for persistence and evasion.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.001 Hidden Files and Directories
- Canonical reference
- https://attack.mitre.org/techniques/T1564/001/
Sumo Detection Query
_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID in ("1", "4688")
| where Image matches "*\\attrib.exe" OR process_name matches "*\\attrib.exe"
| where CommandLine matches "+h" OR CommandLine matches "+s" OR CommandLine matches "+r"
| eval HiddenAttr = if(CommandLine matches "*+h*", 1, 0)
| eval SystemAttr = if(CommandLine matches "*+s*", 1, 0)
| eval SuspiciousTarget = if(
CommandLine matches "*Temp*"
OR CommandLine matches "*AppData*"
OR CommandLine matches "*ProgramData*"
OR CommandLine matches "*Recycle*"
OR CommandLine matches "*Windows*", 1, 0)
| eval SuspiciousParent = if(
ParentImage matches "*cmd.exe*"
OR ParentImage matches "*powershell.exe*"
OR ParentImage matches "*wscript.exe*"
OR ParentImage matches "*cscript.exe*", 1, 0)
| eval RiskScore = HiddenAttr + SystemAttr + SuspiciousTarget + SuspiciousParent
| where RiskScore > 1
| fields _messageTime, Computer, User, CommandLine, ParentImage, HiddenAttr, SystemAttr, SuspiciousTarget, SuspiciousParent, RiskScore
| sort by _messageTime descSumo Logic detection for T1564.001 that monitors attrib.exe process creation events from Sysmon or Windows Security logs, computing a risk score based on hidden/system attribute flags, suspicious target paths, and suspicious parent process lineage to reduce false positives.
Data Sources
Required Tables
False Positives & Tuning
- Application installers (e.g., Adobe, Microsoft Office) hiding licensing or activation files in AppData or ProgramData during installation
- IT management agents (e.g., SolarWinds, ManageEngine) setting hidden attributes on their working directories
- Developer tools or IDEs caching build artifacts in hidden directories under AppData or Temp
Other platforms for T1564.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hide File Using attrib.exe
Expected signal: Sysmon Event ID 1: attrib.exe with +h +s and Temp path. Security Event ID 4688. Sysmon Event ID 2 (File Time Changed) or file attribute modification event for the hidden file.
- Test 2Hide Directory Using attrib.exe from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe then attrib.exe with +h +s AppData path. SuspiciousParent and SuspiciousTarget both fire. Directory creation event (Sysmon EventCode=11) for the staging directory.
- Test 3Create Hidden File on Linux with Dot Prefix
Expected signal: Linux audit log: file creation event for /tmp/.hidden_payload.sh. Syslog: if auditd is configured with file watch on /tmp, the create and chmod events will appear. The file does not appear in 'ls /tmp' without -a flag.
References (4)
- https://attack.mitre.org/techniques/T1564/001/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1564.001 including response playbook, investigation guide, and atomic red team tests.