Use Of Hidden Paths Or Files
Detects calls to hidden files or files located in hidden directories in NIX systems.
Sigma rule (View on GitHub)
1title: Use Of Hidden Paths Or Files
2id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e
3related:
4 - id: d08722cd-3d09-449a-80b4-83ea2d9d4616
5 type: similar
6status: test
7description: Detects calls to hidden files or files located in hidden directories in NIX systems.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
10author: David Burkett, @signalblur
11date: 2022-12-30
12tags:
13 - attack.defense-evasion
14 - attack.t1574.001
15logsource:
16 product: linux
17 service: auditd
18detection:
19 selection:
20 type: 'PATH'
21 name|contains: '/.'
22 filter:
23 name|contains:
24 - '/.cache/'
25 - '/.config/'
26 - '/.pyenv/'
27 - '/.rustup/toolchains'
28 condition: selection and not filter
29falsepositives:
30 - Unknown
31level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Creation Of Non-Existent System DLL
- Creation of an WerFault.exe in Unusual Folder
- DLL Sideloading Of ShellChromeAPI.DLL
- Fax Service DLL Search Order Hijack
- HackTool - Powerup Write Hijack DLL