T1564.005 IBM QRadar · QRadar

Detect Hidden File System in IBM QRadar

Adversaries may use a hidden file system to conceal malicious activity from users and security tools. Hidden file systems operate outside normal OS file system abstractions — adversaries write raw data to unused disk space, inside volume slack space, inside NTFS extended attributes, or in specially crafted partitions that aren't mounted by the OS. The Equation Group APT, ComRAT v4, Regin rootkit, and BOOTRASH VBR bootkit all use hidden file systems. This technique makes data invisible to standard forensic tools and EDR sensors that operate at the file system API level.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.005 Hidden File System
Canonical reference
https://attack.mitre.org/techniques/T1564/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
       sourceip AS HostIP,
       "username" AS UserName,
       "ProcessName",
       "CommandLine",
       "ParentProcessName",
       CASE WHEN LOWER("CommandLine") LIKE '%\\.\PhysicalDrive%' OR LOWER("CommandLine") LIKE '%\Device\Harddisk%' THEN 1 ELSE 0 END AS RawDiskAccess,
       CASE WHEN LOWER("ProcessName") LIKE '%diskpart%' THEN 1 ELSE 0 END AS DiskPartOp,
       CASE WHEN LOWER("ProcessName") LIKE '%bcdedit%' THEN 1 ELSE 0 END AS BCDModify,
       CASE WHEN LOWER("ParentProcessName") LIKE '%cmd.exe%' OR LOWER("ParentProcessName") LIKE '%powershell%' OR LOWER("ParentProcessName") LIKE '%wscript%' OR LOWER("ParentProcessName") LIKE '%cscript%' THEN 1 ELSE 0 END AS SuspiciousParent
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Microsoft Windows%'
  AND QIDNAME(qid) ILIKE '%process%'
  AND devicetime > NOW() - 86400000
  AND (
    LOWER("ProcessName") LIKE '%diskpart.exe%'
    OR LOWER("ProcessName") LIKE '%format.com%'
    OR LOWER("ProcessName") LIKE '%bcdedit.exe%'
    OR (LOWER("ProcessName") LIKE '%powershell.exe%' AND (LOWER("CommandLine") LIKE '%\\.\PhysicalDrive%' OR LOWER("CommandLine") LIKE '%\Device\Harddisk%'))
    OR (LOWER("ProcessName") LIKE '%cmd.exe%' AND (LOWER("CommandLine") LIKE '%\\.\PhysicalDrive%' OR LOWER("CommandLine") LIKE '%\Device\Harddisk%'))
  )
ORDER BY devicetime DESC
LIMIT 500
high severity medium confidence

QRadar AQL query detecting hidden file system activity via raw disk access tools and physical device path references. Scores each event component (raw disk access, diskpart operations, BCD modification, suspicious parent process) for analyst triage.

Data Sources

QRadar Windows Security Log DSMQRadar Sysmon Log SourceMicrosoft Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Authorized disk management performed by domain administrators or storage engineers via scripted diskpart automation
  • Enterprise deployment tools (SCCM, MDT) that invoke bcdedit during OS build sequences from cmd.exe parent processes
  • Security tools performing disk forensics or imaging via raw device path access (FTK Imager, dd for Windows)
Download portable Sigma rule (.yml)

Other platforms for T1564.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Raw Physical Disk Access via PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe with PhysicalDrive in command line. Security Event ID 4688. No disk modification occurs — only read access.

  2. Test 2Diskpart Script Execution

    Expected signal: Sysmon Event ID 1: diskpart.exe with /s flag and script path. Security Event ID 4688 for diskpart.exe. Script file creation in Temp (Sysmon EventCode=11).

  3. Test 3BCDEdit Query for Boot Configuration

    Expected signal: Sysmon Event ID 1: bcdedit.exe with /enum flag. Security Event ID 4688. Output shows all boot entries including any hidden or non-standard entries.

Last updated: 2026-04-21 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1564.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1542.003BootkitT1027Obfuscated Files or InformationT1006Direct Volume AccessT1564.004NTFS File Attributes

Same Tactic: Defense Evasion

Popular Detections