title: Hidden Files and Directories (T1564.001)
id: df00tech-t1564-001
status: experimental
description: "Adversaries may set files and directories to be hidden to evade detection mechanisms. On Windows, the attrib command can set the hidden (+h) and system (+s) attributes on files and directories. On Linux/macOS, files and directories prefixed with a period (.) are hidden by convention. Adversaries use these techniques to hide malware, persistence mechanisms, and staging directories from casual file system inspection. Malware families including QakBot, APT28, RedCurl, and XCSSET use hidden file/directory techniques for persistence and evasion."
references:
  - https://attack.mitre.org/techniques/T1564/001/
  - https://df00tech.com/detections/T1564.001
author: df00tech
date: 2026/04/21
tags:
  - attack.t1564.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators using attrib.exe to hide configuration directories or sensitive files from user view
  - Software installers that mark their data directories as hidden to prevent accidental user modification
  - Windows system processes that legitimately set hidden/system attributes on operating system files and directories
  - Backup software that marks shadow copy-related directories as hidden and system
level: medium