Hidden Files and Directories
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Sigma rule (View on GitHub)
1title: Hidden Files and Directories
2id: d08722cd-3d09-449a-80b4-83ea2d9d4616
3status: test
4description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
7author: 'Pawel Mazur'
8date: 2021-09-06
9modified: 2022-10-09
10tags:
11 - attack.defense-evasion
12 - attack.t1564.001
13logsource:
14 product: linux
15 service: auditd
16detection:
17 commands:
18 type: EXECVE
19 a0:
20 - mkdir
21 - touch
22 - vim
23 - nano
24 - vi
25 arguments:
26 - a1|contains: '/.'
27 - a1|startswith: '.'
28 - a2|contains: '/.'
29 - a2|startswith: '.'
30 condition: commands and arguments
31falsepositives:
32 - Unknown
33level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Displaying Hidden Files Feature Disabled
- Hiding Files with Attrib.exe
- PowerShell Logging Disabled Via Registry Key Tampering
- Registry Persistence via Service in Safe Mode
- Set Suspicious Files as System Files Using Attrib.EXE