Hidden Files and Directories via Hidden Flag
Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/23"
3integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
6min_stack_version = "8.13.0"
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt
13to evade detection.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Hidden Files and Directories via Hidden Flag"
20risk_score = 21
21rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97"
22severity = "low"
23tags = [
24 "Domain: Endpoint",
25 "OS: Linux",
26 "OS: macOS",
27 "Use Case: Threat Detection",
28 "Tactic: Defense Evasion",
29 "Data Source: Elastic Defend",
30 "Data Source: Elastic Endgame",
31 "Data Source: Auditd Manager",
32 "Data Source: SentinelOne",
33 "Resources: Investigation Guide",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37query = '''
38file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags"
39'''
40note = """## Triage and analysis
41
42> **Disclaimer**:
43> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
44
45### Investigating Hidden Files and Directories via Hidden Flag
46
47In Unix-like systems, the 'hidden' flag can be set on files to conceal them from standard directory listings, a feature often exploited by adversaries to obscure malicious files. Attackers may use commands like `chflags` to apply this flag, making detection challenging. The detection rule targets file creation events involving `chflags`, helping identify potential misuse by monitoring for suspicious activity on Linux and macOS systems.
48
49### Possible investigation steps
50
51- Review the alert details to confirm the host operating system is Linux, as specified by the query field `host.os.type == "linux"`.
52- Examine the process execution details to verify that the `chflags` command was used, as indicated by `process.name == "chflags"`.
53- Investigate the file creation event to identify the specific file or directory that had the 'hidden' flag applied, focusing on the `event.type == "creation"` field.
54- Check the user account associated with the `chflags` command execution to determine if it aligns with expected user behavior or if it might indicate unauthorized access.
55- Analyze recent system logs and user activity on the affected host to identify any other suspicious behavior or anomalies that could suggest malicious intent.
56- Correlate this event with other alerts or indicators of compromise on the same host to assess if this is part of a larger attack pattern or isolated incident.
57
58### False positive analysis
59
60- System maintenance scripts may use the chflags command to manage file visibility for legitimate purposes. Review scheduled tasks and scripts to identify benign uses and create exceptions for these processes.
61- Backup and recovery operations might employ the hidden flag to protect critical files from accidental deletion. Verify backup software configurations and exclude these operations from triggering alerts.
62- Development environments could use hidden files to manage version control or configuration settings. Collaborate with development teams to understand their workflows and whitelist known development-related activities.
63- Security tools and utilities may use the hidden flag as part of their normal operation to protect sensitive files. Identify these tools and add them to an exception list to prevent unnecessary alerts.
64- User customization scripts might apply the hidden flag to personalize the user environment. Engage with users to document these customizations and exclude them from detection rules.
65
66### Response and remediation
67
68- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement.
69- Terminate any suspicious processes associated with `chflags` to halt any ongoing attempts to hide files.
70- Conduct a thorough review of recently created files and directories on the affected system to identify and assess any hidden files for malicious content.
71- Restore any critical files that may have been hidden or altered from known good backups to ensure system integrity.
72- Implement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden flag, on critical systems.
73- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
74- Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future."""
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78
79[[rule.threat.technique]]
80id = "T1564"
81name = "Hide Artifacts"
82reference = "https://attack.mitre.org/techniques/T1564/"
83
84[[rule.threat.technique.subtechnique]]
85id = "T1564.001"
86name = "Hidden Files and Directories"
87reference = "https://attack.mitre.org/techniques/T1564/001/"
88
89[rule.threat.tactic]
90id = "TA0005"
91name = "Defense Evasion"
92reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Hidden Files and Directories via Hidden Flag
In Unix-like systems, the 'hidden' flag can be set on files to conceal them from standard directory listings, a feature often exploited by adversaries to obscure malicious files. Attackers may use commands like chflags
to apply this flag, making detection challenging. The detection rule targets file creation events involving chflags
, helping identify potential misuse by monitoring for suspicious activity on Linux and macOS systems.
Possible investigation steps
- Review the alert details to confirm the host operating system is Linux, as specified by the query field
host.os.type == "linux"
. - Examine the process execution details to verify that the
chflags
command was used, as indicated byprocess.name == "chflags"
. - Investigate the file creation event to identify the specific file or directory that had the 'hidden' flag applied, focusing on the
event.type == "creation"
field. - Check the user account associated with the
chflags
command execution to determine if it aligns with expected user behavior or if it might indicate unauthorized access. - Analyze recent system logs and user activity on the affected host to identify any other suspicious behavior or anomalies that could suggest malicious intent.
- Correlate this event with other alerts or indicators of compromise on the same host to assess if this is part of a larger attack pattern or isolated incident.
False positive analysis
- System maintenance scripts may use the chflags command to manage file visibility for legitimate purposes. Review scheduled tasks and scripts to identify benign uses and create exceptions for these processes.
- Backup and recovery operations might employ the hidden flag to protect critical files from accidental deletion. Verify backup software configurations and exclude these operations from triggering alerts.
- Development environments could use hidden files to manage version control or configuration settings. Collaborate with development teams to understand their workflows and whitelist known development-related activities.
- Security tools and utilities may use the hidden flag as part of their normal operation to protect sensitive files. Identify these tools and add them to an exception list to prevent unnecessary alerts.
- User customization scripts might apply the hidden flag to personalize the user environment. Engage with users to document these customizations and exclude them from detection rules.
Response and remediation
- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement.
- Terminate any suspicious processes associated with
chflags
to halt any ongoing attempts to hide files. - Conduct a thorough review of recently created files and directories on the affected system to identify and assess any hidden files for malicious content.
- Restore any critical files that may have been hidden or altered from known good backups to ensure system integrity.
- Implement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden flag, on critical systems.
- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
- Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future.
Related rules
- Base16 or Base32 Encoding/Decoding Activity
- ESXI Timestomping using Touch Command
- Kernel Load or Unload via Kexec Detected
- Potential Disabling of AppArmor
- Potential Disabling of SELinux