EXPLORE
Sign In
← Back to Explore
T1564.001

Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>di...

LinuxWindowsmacOS
23
Detections
3
Sources
12
Threat Actors

BY SOURCE

15elastic7sigma1splunk_escu

PROCEDURES (12)

Registry4 detections

Auto-extracted: 4 detections for registry

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Unusual2 detections

Auto-extracted: 2 detections for unusual

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Evasion2 detections

Auto-extracted: 2 detections for evasion

Persist2 detections

Auto-extracted: 2 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Persist1 detections

Auto-extracted: 1 detections for persist

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Evasion1 detections

Auto-extracted: 1 detections for evasion

THREAT ACTORS (12)

APT28APT32FIN13FIN7HAFNIUMLazarus GroupLuminousMothMustang PandaRedCurlRockeTransparent TribeTropic Trooper

DETECTIONS (23)

Adding Hidden File Attribute via Attrib
elasticlow
Creation of Hidden Files and Directories via CommandLine
elasticlow
Creation of Hidden Launch Agent or Daemon
elasticmedium
Creation of Hidden Shared Object File
elasticmedium
Directory Creation in /bin directory
elasticlow
Disable Show Hidden Files
splunk_escu
Displaying Hidden Files Feature Disabled
sigmamedium
File Creation in /var/log via Suspicious Process
elasticmedium
Hidden Directory Creation via Unusual Parent
elasticlow
Hidden Files and Directories
sigmalow
Hidden Files and Directories via Hidden Flag
elasticmedium
Hiding Files with Attrib.exe
sigmamedium
High Number of Egress Network Connections from Unusual Executable
elasticmedium
Kill Command Execution
elasticlow
Persistence via a Hidden Plist Filename
elastichigh
Potential Hidden Process via Mount Hidepid
elastichigh
Potential Kubectl Masquerading via Unexpected Process
elasticmedium
PowerShell Logging Disabled Via Registry Key Tampering
sigmahigh
Registry Persistence via Service in Safe Mode
sigmahigh
Set Suspicious Files as System Files Using Attrib.EXE
sigmahigh
Suspicious Hidden Child Process of Launchd
elasticmedium
Suspicious Process Execution Detected via Defend for Containers
elastichigh
Use Icacls to Hide File to Everyone
sigmamedium