Hidden Files and Directories via Hidden Flag
Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/23"
3integration = ["endpoint", "auditd_manager"]
4maturity = "production"
5updated_date = "2024/10/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt
11to evade detection.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Hidden Files and Directories via Hidden Flag"
18risk_score = 21
19rule_id = "5124e65f-df97-4471-8dcb-8e3953b3ea97"
20severity = "low"
21tags = [
22 "Domain: Endpoint",
23 "OS: Linux",
24 "OS: macOS",
25 "Use Case: Threat Detection",
26 "Tactic: Defense Evasion",
27 "Data Source: Elastic Defend",
28 "Data Source: Elastic Endgame",
29 "Data Source: Auditd Manager",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33query = '''
34file where host.os.type == "linux" and event.type == "creation" and process.name == "chflags"
35'''
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39
40[[rule.threat.technique]]
41id = "T1564"
42name = "Hide Artifacts"
43reference = "https://attack.mitre.org/techniques/T1564/"
44
45[[rule.threat.technique.subtechnique]]
46id = "T1564.001"
47name = "Hidden Files and Directories"
48reference = "https://attack.mitre.org/techniques/T1564/001/"
49
50[rule.threat.tactic]
51id = "TA0005"
52name = "Defense Evasion"
53reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Tampering of Shell Command-Line History
- Access Control List Modification via setfacl
- Kernel Load or Unload via Kexec Detected
- Potential Hidden Process via Mount Hidepid
- Potential Disabling of AppArmor