Hidden Files and Directories

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Sigma rule (View on GitHub)

 1title: Hidden Files and Directories
 2id: d08722cd-3d09-449a-80b4-83ea2d9d4616
 3status: test
 4description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
 7author: 'Pawel Mazur'
 8date: 2021/09/06
 9modified: 2022/10/09
10tags:
11    - attack.defense_evasion
12    - attack.t1564.001
13logsource:
14    product: linux
15    service: auditd
16detection:
17    commands:
18        type: EXECVE
19        a0:
20            - mkdir
21            - touch
22            - vim
23            - nano
24            - vi
25    arguments:
26        - a1|contains: '/.'
27        - a1|startswith: '.'
28        - a2|contains: '/.'
29        - a2|startswith: '.'
30    condition: commands and arguments
31falsepositives:
32    - Unknown
33level: low

References

Related rules

to-top