Hidden Files and Directories via Hidden Flag

Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/23"
 3integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 6min_stack_version = "8.13.0"
 7updated_date = "2025/01/15"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt
13to evade detection.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Hidden Files and Directories via Hidden Flag"
20risk_score = 21
21rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97"
22severity = "low"
23tags = [
24    "Domain: Endpoint",
25    "OS: Linux",
26    "OS: macOS",
27    "Use Case: Threat Detection",
28    "Tactic: Defense Evasion",
29    "Data Source: Elastic Defend",
30    "Data Source: Elastic Endgame",
31    "Data Source: Auditd Manager",
32    "Data Source: SentinelOne",
33    "Resources: Investigation Guide",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37query = '''
38file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags"
39'''
40note = """## Triage and analysis
41
42> **Disclaimer**:
43> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
44
45### Investigating Hidden Files and Directories via Hidden Flag
46
47In Unix-like systems, the 'hidden' flag can be set on files to conceal them from standard directory listings, a feature often exploited by adversaries to obscure malicious files. Attackers may use commands like `chflags` to apply this flag, making detection challenging. The detection rule targets file creation events involving `chflags`, helping identify potential misuse by monitoring for suspicious activity on Linux and macOS systems.
48
49### Possible investigation steps
50
51- Review the alert details to confirm the host operating system is Linux, as specified by the query field `host.os.type == "linux"`.
52- Examine the process execution details to verify that the `chflags` command was used, as indicated by `process.name == "chflags"`.
53- Investigate the file creation event to identify the specific file or directory that had the 'hidden' flag applied, focusing on the `event.type == "creation"` field.
54- Check the user account associated with the `chflags` command execution to determine if it aligns with expected user behavior or if it might indicate unauthorized access.
55- Analyze recent system logs and user activity on the affected host to identify any other suspicious behavior or anomalies that could suggest malicious intent.
56- Correlate this event with other alerts or indicators of compromise on the same host to assess if this is part of a larger attack pattern or isolated incident.
57
58### False positive analysis
59
60- System maintenance scripts may use the chflags command to manage file visibility for legitimate purposes. Review scheduled tasks and scripts to identify benign uses and create exceptions for these processes.
61- Backup and recovery operations might employ the hidden flag to protect critical files from accidental deletion. Verify backup software configurations and exclude these operations from triggering alerts.
62- Development environments could use hidden files to manage version control or configuration settings. Collaborate with development teams to understand their workflows and whitelist known development-related activities.
63- Security tools and utilities may use the hidden flag as part of their normal operation to protect sensitive files. Identify these tools and add them to an exception list to prevent unnecessary alerts.
64- User customization scripts might apply the hidden flag to personalize the user environment. Engage with users to document these customizations and exclude them from detection rules.
65
66### Response and remediation
67
68- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement.
69- Terminate any suspicious processes associated with `chflags` to halt any ongoing attempts to hide files.
70- Conduct a thorough review of recently created files and directories on the affected system to identify and assess any hidden files for malicious content.
71- Restore any critical files that may have been hidden or altered from known good backups to ensure system integrity.
72- Implement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden flag, on critical systems.
73- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
74- Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future."""
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78
79[[rule.threat.technique]]
80id = "T1564"
81name = "Hide Artifacts"
82reference = "https://attack.mitre.org/techniques/T1564/"
83
84[[rule.threat.technique.subtechnique]]
85id = "T1564.001"
86name = "Hidden Files and Directories"
87reference = "https://attack.mitre.org/techniques/T1564/001/"
88
89[rule.threat.tactic]
90id = "TA0005"
91name = "Defense Evasion"
92reference = "https://attack.mitre.org/tactics/TA0005/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

In Unix-like systems, the 'hidden' flag can be set on files to conceal them from standard directory listings, a feature often exploited by adversaries to obscure malicious files. Attackers may use commands like chflags to apply this flag, making detection challenging. The detection rule targets file creation events involving chflags, helping identify potential misuse by monitoring for suspicious activity on Linux and macOS systems.

  • Review the alert details to confirm the host operating system is Linux, as specified by the query field host.os.type == "linux".
  • Examine the process execution details to verify that the chflags command was used, as indicated by process.name == "chflags".
  • Investigate the file creation event to identify the specific file or directory that had the 'hidden' flag applied, focusing on the event.type == "creation" field.
  • Check the user account associated with the chflags command execution to determine if it aligns with expected user behavior or if it might indicate unauthorized access.
  • Analyze recent system logs and user activity on the affected host to identify any other suspicious behavior or anomalies that could suggest malicious intent.
  • Correlate this event with other alerts or indicators of compromise on the same host to assess if this is part of a larger attack pattern or isolated incident.
  • System maintenance scripts may use the chflags command to manage file visibility for legitimate purposes. Review scheduled tasks and scripts to identify benign uses and create exceptions for these processes.
  • Backup and recovery operations might employ the hidden flag to protect critical files from accidental deletion. Verify backup software configurations and exclude these operations from triggering alerts.
  • Development environments could use hidden files to manage version control or configuration settings. Collaborate with development teams to understand their workflows and whitelist known development-related activities.
  • Security tools and utilities may use the hidden flag as part of their normal operation to protect sensitive files. Identify these tools and add them to an exception list to prevent unnecessary alerts.
  • User customization scripts might apply the hidden flag to personalize the user environment. Engage with users to document these customizations and exclude them from detection rules.
  • Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement.
  • Terminate any suspicious processes associated with chflags to halt any ongoing attempts to hide files.
  • Conduct a thorough review of recently created files and directories on the affected system to identify and assess any hidden files for malicious content.
  • Restore any critical files that may have been hidden or altered from known good backups to ensure system integrity.
  • Implement file integrity monitoring to detect unauthorized changes to file attributes, including the hidden flag, on critical systems.
  • Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
  • Update and enhance endpoint detection and response (EDR) solutions to improve detection capabilities for similar threats in the future.

Related rules

to-top