Detect Hidden File System in Sumo Logic CSE
Adversaries may use a hidden file system to conceal malicious activity from users and security tools. Hidden file systems operate outside normal OS file system abstractions — adversaries write raw data to unused disk space, inside volume slack space, inside NTFS extended attributes, or in specially crafted partitions that aren't mounted by the OS. The Equation Group APT, ComRAT v4, Regin rootkit, and BOOTRASH VBR bootkit all use hidden file systems. This technique makes data invisible to standard forensic tools and EDR sensors that operate at the file system API level.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.005 Hidden File System
- Canonical reference
- https://attack.mitre.org/techniques/T1564/005/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventCode = 1 OR EventID = 4688
| parse field=CommandLine "*" as CmdLine nodrop
| parse field=Image "*\\*" as ImgPath, ProcessName nodrop
| parse field=ParentImage "*\\*" as ParentPath, ParentProcessName nodrop
| where (ProcessName in ("diskpart.exe", "format.com", "bcdedit.exe"))
OR (ProcessName in ("powershell.exe", "cmd.exe") and (CmdLine matches /\\.\PhysicalDrive/ or CmdLine matches /\Device\Harddisk/ or CmdLine matches /Device\\HarddiskVolume/))
| eval RawDiskAccess = if(CmdLine matches /\\.\PhysicalDrive|\/\/\.\\Harddisk|Device\\Harddisk/, 1, 0)
| eval DiskPartOp = if(ProcessName = "diskpart.exe", 1, 0)
| eval BCDModify = if(ProcessName = "bcdedit.exe", 1, 0)
| eval SuspiciousParent = if(ParentProcessName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe"), 1, 0)
| eval RiskScore = RawDiskAccess + DiskPartOp + BCDModify + SuspiciousParent
| where RiskScore > 0
| fields _messageTime, host, user, ProcessName, CmdLine, ParentProcessName, RawDiskAccess, DiskPartOp, BCDModify, SuspiciousParent, RiskScore
| sort by RiskScore desc, _messageTime descSumo Logic CSE query correlating Sysmon Event ID 1 and Security Event ID 4688 process creation events to identify hidden file system staging activity — raw physical disk device access, diskpart operations, and BCD store modification — with a composite risk score for triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Disk partitioning during automated system builds or recovery operations using diskpart scripts triggered from cmd.exe
- IT infrastructure teams using bcdedit for legitimate boot configuration changes during patch cycles or OS upgrades
- Endpoint security products (EDR agents) performing disk-level scans that generate PhysicalDrive device path references
Other platforms for T1564.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Raw Physical Disk Access via PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe with PhysicalDrive in command line. Security Event ID 4688. No disk modification occurs — only read access.
- Test 2Diskpart Script Execution
Expected signal: Sysmon Event ID 1: diskpart.exe with /s flag and script path. Security Event ID 4688 for diskpart.exe. Script file creation in Temp (Sysmon EventCode=11).
- Test 3BCDEdit Query for Boot Configuration
Expected signal: Sysmon Event ID 1: bcdedit.exe with /enum flag. Security Event ID 4688. Output shows all boot entries including any hidden or non-standard entries.
References (4)
- https://attack.mitre.org/techniques/T1564/005/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.005/T1564.005.md
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
- https://securelist.com/the-penquin-turla/67962/
Unlock Pro Content
Get the full detection package for T1564.005 including response playbook, investigation guide, and atomic red team tests.