DET0032 Detection Strategy for Hidden Files and Directories

Item	Value
ID	DET0032
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1564.001 (Hidden Files and Directories)

Analytics

Windows

AN0091

Suspicious use of attrib.exe or PowerShell commands to set hidden attributes on files/directories. Defender view: processes modifying file attributes to ‘hidden’ or creating files with ADS (alternate data streams).

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11

Mutable Elements

Field	Description
MonitoredExtensions	Filter hidden file detection by sensitive file extensions (.exe, .dll, .bat).
ADSMonitoring	Enable detection of alternate data streams depending on organizational usage.

Linux

AN0092

Creation of files or directories with a leading ‘.’ in privileged directories (/etc, /var, /usr/bin). Defender view: monitoring auditd logs for file creations where name begins with ‘.’ and correlated with unusual user/process context.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	auditd:FILE	File creation with name starting with ‘.’
Command Execution (DC0064)	auditd:EXECVE	Use of mv or cp to rename files with ‘.’ prefix

Mutable Elements

Field	Description
DirectoryScope	Restrict detection to critical directories to avoid noise from benign hidden files like .ssh or .config.

macOS

AN0093

Use of chflags hidden or SetFile -a V commands to hide files, or creation of hidden files with leading ‘.’. Defender view: monitoring process execution and file metadata changes setting UF_HIDDEN attribute.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	macos:unifiedlog	Execution of chflags hidden or SetFile -a V
File Metadata (DC0059)	macos:unifiedlog	File metadata updated with UF_HIDDEN flag

Mutable Elements

Field	Description
HiddenAttributeScope	Restrict detection to non-standard directories where hidden flags are unexpected.