Hidden Files and Directories

Jun 24, 2025 · attack.defense-evasion attack.t1564.001 ·

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Sigma rule (View on GitHub)

 1title: Hidden Files and Directories
 2id: d08722cd-3d09-449a-80b4-83ea2d9d4616
 3status: test
 4description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
 7author: 'Pawel Mazur'
 8date: 2021-09-06
 9modified: 2025-06-16
10tags:
11    - attack.defense-evasion
12    - attack.t1564.001
13logsource:
14    product: linux
15    service: auditd
16detection:
17    selection_commands:
18        type: 'EXECVE'
19        a0:
20            - 'mkdir'
21            - 'nano'
22            - 'touch'
23            - 'vi'
24            - 'vim'
25    selection_arguments:
26        - a1|re: '(^|\/)\.[^.\/]'
27        - a2|re: '(^|\/)\.[^.\/]'
28    condition: all of selection_*
29falsepositives:
30    - Unknown
31level: low

References

atomic-red-team/atomics/T1564.001/T1564.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Hidden Files and Directories

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1564.001/T1564.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules