T1564.005 Hidden File System Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("diskpart.exe", "format.com", "bcdedit.exe")
| extend DiskpartScript = ProcessCommandLine has_any ("select disk", "select volume", "create partition", "delete partition")
| extend BCDEdit = FileName =~ "bcdedit.exe"
| extend FormatDisk = FileName =~ "format.com"
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName,
         DiskpartScript, BCDEdit, FormatDisk, SuspiciousParent
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName in~ ("powershell.exe", "cmd.exe")
  | where ProcessCommandLine has_any ("\\Device\\HarddiskVolume", "\\\\.\\PhysicalDrive", "\\\\.\\Harddisk", "CreateFile.*\\\\.\\")
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
  | sort by Timestamp desc
)

high severity low confidence

Data Sources

Process: Process Creation Drive: Drive Access Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Disk imaging and forensic tools that use raw disk access (dd, FTK Imager, Autopsy) for legitimate forensic analysis
System administrators using diskpart for legitimate disk partitioning and management operations
Drive encryption software (BitLocker, VeraCrypt) that accesses raw disk sectors during encryption
Virtual machine software that uses raw disk access for virtual disk management operations

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\diskpart.exe" OR Image="*\\format.com" OR Image="*\\bcdedit.exe")
OR (Image="*\\powershell.exe" AND (CommandLine="*\\\\\\.\\PhysicalDrive*" OR CommandLine="*\\\\Device\\\\Harddisk*"))
OR (Image="*\\cmd.exe" AND (CommandLine="*\\.\\PhysicalDrive*" OR CommandLine="*\\Device\\Harddisk*"))
| eval RawDiskAccess=if(match(CommandLine, "(\\\.\\PhysicalDrive|\\\\Device\\\\Harddisk)"), 1, 0)
| eval DiskPartOp=if(match(Image, "diskpart"), 1, 0)
| eval BCDModify=if(match(Image, "bcdedit"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript)\.exe"), 1, 0)
| eval RiskScore=RawDiskAccess + DiskPartOp + BCDModify + SuspiciousParent
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, RawDiskAccess, DiskPartOp, BCDModify, SuspiciousParent, RiskScore
| sort - _time

high severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Disk imaging and forensic tools using raw disk access
Administrators using diskpart for disk management
Drive encryption software accessing raw sectors
Virtual machine software managing virtual disks

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
    process.name in~ ("diskpart.exe", "format.com", "bcdedit.exe") and
    process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")]
  [process where event.type == "start" and
    process.name in~ ("diskpart.exe", "format.com", "bcdedit.exe")]
union
process where event.type == "start" and
  process.name in~ ("powershell.exe", "cmd.exe") and
  process.args : ("*\\\\.\\PhysicalDrive*", "*\\Device\\HarddiskVolume*", "*\\Device\\Harddisk*", "*CreateFile*\\\\.\\*")

high severity medium confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate disk management operations by system administrators using diskpart or format.com in maintenance windows
bcdedit.exe invoked by legitimate backup and recovery software (e.g., Acronis, Veeam, Windows Recovery Environment) modifying BCD store
IT provisioning scripts that automate disk partitioning during OS imaging or bare-metal builds

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
       sourceip AS HostIP,
       "username" AS UserName,
       "ProcessName",
       "CommandLine",
       "ParentProcessName",
       CASE WHEN LOWER("CommandLine") LIKE '%\\.\PhysicalDrive%' OR LOWER("CommandLine") LIKE '%\Device\Harddisk%' THEN 1 ELSE 0 END AS RawDiskAccess,
       CASE WHEN LOWER("ProcessName") LIKE '%diskpart%' THEN 1 ELSE 0 END AS DiskPartOp,
       CASE WHEN LOWER("ProcessName") LIKE '%bcdedit%' THEN 1 ELSE 0 END AS BCDModify,
       CASE WHEN LOWER("ParentProcessName") LIKE '%cmd.exe%' OR LOWER("ParentProcessName") LIKE '%powershell%' OR LOWER("ParentProcessName") LIKE '%wscript%' OR LOWER("ParentProcessName") LIKE '%cscript%' THEN 1 ELSE 0 END AS SuspiciousParent
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Microsoft Windows%'
  AND QIDNAME(qid) ILIKE '%process%'
  AND devicetime > NOW() - 86400000
  AND (
    LOWER("ProcessName") LIKE '%diskpart.exe%'
    OR LOWER("ProcessName") LIKE '%format.com%'
    OR LOWER("ProcessName") LIKE '%bcdedit.exe%'
    OR (LOWER("ProcessName") LIKE '%powershell.exe%' AND (LOWER("CommandLine") LIKE '%\\.\PhysicalDrive%' OR LOWER("CommandLine") LIKE '%\Device\Harddisk%'))
    OR (LOWER("ProcessName") LIKE '%cmd.exe%' AND (LOWER("CommandLine") LIKE '%\\.\PhysicalDrive%' OR LOWER("CommandLine") LIKE '%\Device\Harddisk%'))
  )
ORDER BY devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

QRadar Windows Security Log DSM QRadar Sysmon Log Source Microsoft Windows Security Event Log

Required Tables

events

False Positives

Authorized disk management performed by domain administrators or storage engineers via scripted diskpart automation
Enterprise deployment tools (SCCM, MDT) that invoke bcdedit during OS build sequences from cmd.exe parent processes
Security tools performing disk forensics or imaging via raw device path access (FTK Imager, dd for Windows)

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventCode = 1 OR EventID = 4688
| parse field=CommandLine "*" as CmdLine nodrop
| parse field=Image "*\\*" as ImgPath, ProcessName nodrop
| parse field=ParentImage "*\\*" as ParentPath, ParentProcessName nodrop
| where (ProcessName in ("diskpart.exe", "format.com", "bcdedit.exe"))
   OR (ProcessName in ("powershell.exe", "cmd.exe") and (CmdLine matches /\\.\PhysicalDrive/ or CmdLine matches /\Device\Harddisk/ or CmdLine matches /Device\\HarddiskVolume/))
| eval RawDiskAccess = if(CmdLine matches /\\.\PhysicalDrive|\/\/\.\\Harddisk|Device\\Harddisk/, 1, 0)
| eval DiskPartOp = if(ProcessName = "diskpart.exe", 1, 0)
| eval BCDModify = if(ProcessName = "bcdedit.exe", 1, 0)
| eval SuspiciousParent = if(ParentProcessName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe"), 1, 0)
| eval RiskScore = RawDiskAccess + DiskPartOp + BCDModify + SuspiciousParent
| where RiskScore > 0
| fields _messageTime, host, user, ProcessName, CmdLine, ParentProcessName, RawDiskAccess, DiskPartOp, BCDModify, SuspiciousParent, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Sysmon App Windows Security Event Log Source Sumo Logic Cloud SIEM Enterprise

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Disk partitioning during automated system builds or recovery operations using diskpart scripts triggered from cmd.exe
IT infrastructure teams using bcdedit for legitimate boot configuration changes during patch cycles or OS upgrades
Endpoint security products (EDR agents) performing disk-level scans that generate PhysicalDrive device path references

Google Chronicle / SecOps

yaral

rule hidden_file_system_t1564_005 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects hidden file system creation via raw disk access, diskpart/bcdedit execution from scripting engines, or direct physical device path access (T1564.005)"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1564.005"
    severity = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1564/005/"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname

    (
      // Disk manipulation tools launched from scripting engines
      (
        re.regex($e.target.process.file.full_path, `(?i)(diskpart\.exe|format\.com|bcdedit\.exe)$`) and
        re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe)$`)
      ) or
      // Raw physical disk access via shell processes
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|cmd\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)(\\\\.\\PhysicalDrive|\\\\Device\\\\Harddisk|Device\\HarddiskVolume)`)
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM Google Chronicle Endpoint Telemetry Windows Event Forwarding to Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Automated disk provisioning and partition management scripts run by IT operations during scheduled maintenance windows
Disaster recovery and backup agents invoking bcdedit or diskpart programmatically from service processes that inherit cmd.exe lineage
Forensic workstation tools that access raw disk device paths for evidence acquisition and are run interactively from PowerShell

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(diskpart\.exe|format\.com|bcdedit\.exe|powershell\.exe|cmd\.exe)/
| CommandLine = /(?i)(\\\.\\PhysicalDrive|\\Device\\Harddisk|Device\\HarddiskVolume|select disk|select volume|create partition|delete partition)/ OR FileName = /(?i)(diskpart\.exe|format\.com|bcdedit\.exe)/
| ParentBaseFileName = /(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe)/
| eval RawDiskAccess = if(CommandLine = /(\\\.\\PhysicalDrive|\\Device\\Harddisk)/, 1, 0)
| eval DiskPartOp = if(FileName = /(?i)diskpart\.exe/, 1, 0)
| eval BCDModify = if(FileName = /(?i)bcdedit\.exe/, 1, 0)
| eval SuspiciousParent = if(ParentBaseFileName = /(?i)(cmd|powershell|wscript|cscript)\.exe/, 1, 0)
| eval RiskScore = RawDiskAccess + DiskPartOp + BCDModify + SuspiciousParent
| where RiskScore > 0
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, RawDiskAccess, DiskPartOp, BCDModify, SuspiciousParent, RiskScore], function=count(as=EventCount))
| sort(RiskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection Falcon ProcessRollup2 Events CrowdStrike Humio LogScale

Required Tables

ProcessRollup2

False Positives

Legitimate IT automation using diskpart scripted from cmd.exe or PowerShell for routine disk management and server provisioning
Windows Subsystem for Linux (WSL) or virtualization platforms accessing raw disk devices via PhysicalDrive paths during normal operation
CrowdStrike Real Time Response (RTR) or other EDR response tools that invoke disk utility commands during remote incident response

Hidden File System

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections