title: Hidden File System (T1564.005)
id: df00tech-t1564-005
status: experimental
description: "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. Hidden file systems operate outside normal OS file system abstractions — adversaries write raw data to unused disk space, inside volume slack space, inside NTFS extended attributes, or in specially crafted partitions that aren't mounted by the OS. The Equation Group APT, ComRAT v4, Regin rootkit, and BOOTRASH VBR bootkit all use hidden file systems. This technique makes data invisible to standard forensic tools and EDR sensors that operate at the file system API level."
references:
  - https://attack.mitre.org/techniques/T1564/005/
  - https://df00tech.com/detections/T1564.005
author: df00tech
date: 2026/04/21
tags:
  - attack.t1564.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Disk imaging and forensic tools that use raw disk access (dd, FTK Imager, Autopsy) for legitimate forensic analysis"
  - System administrators using diskpart for legitimate disk partitioning and management operations
  - "Drive encryption software (BitLocker, VeraCrypt) that accesses raw disk sectors during encryption"
  - Virtual machine software that uses raw disk access for virtual disk management operations
level: high