Skip to content

DET0502 Detection Strategy for Hidden Artifacts Across Platforms

Item Value
ID DET0502
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1564 (Hide Artifacts)

Analytics

Windows

AN1384

Abuse of file/registry attributes to hide malicious files, directories, or services. Defender view: detection of attrib.exe setting hidden/system flags, creation of Alternate Data Streams, or registry keys altering file visibility.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Mutable Elements
Field Description
FileExtensions Filter for sensitive file types likely targeted for hiding.
ADSDetection Enable or disable detection of Alternate Data Streams depending on business use.

Linux

AN1385

Hidden file creation using leading ‘.’ or file attribute changes with chattr (immutable/hidden flags). Defender view: detect execution of chattr, lsattr anomalies, and unusual hidden files appearing in system directories.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:EXECVE Execution of chattr to set +i or +a attributes
File Creation (DC0039) auditd:FILE Creation of hidden files (.*) in sensitive directories (/etc, /var, /usr/bin)
Mutable Elements
Field Description
DirectoryScope Restrict hidden file detection to privileged system directories.
AttributeFlags Tune for specific chattr flags (+i immutable, +a append-only) most abused for persistence.

macOS

AN1386

Hidden files via ‘chflags hidden’ or Apple-specific attributes, LaunchAgents/LaunchDaemons placed in non-standard hidden directories. Defender view: detect command execution modifying file flags and unusual plist creation in hidden paths.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog Execution of chflags hidden or setfile -a V
File Creation (DC0039) macos:unifiedlog Creation of LaunchAgents/LaunchDaemons in hidden or non-standard directories
Mutable Elements
Field Description
HiddenDirectories List of directories monitored for hidden plist or agent placement.

ESXi

AN1387

Abuse of VMFS or ESXi shell to hide datastore files, renaming/moving VMDK or VMX files into hidden directories. Defender view: anomalous ESXi shell commands or file operations obscuring VM artifacts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:shell mv, rename, or chmod commands moving VM files into hidden directories
File Metadata (DC0059) esxi:syslog Datastore file hidden or renamed unexpectedly
Mutable Elements
Field Description
VMFileScope Restrict to VMDK, VMX, or log files critical for VM operations.

Office Suite

AN1388

Malicious macros or embedded objects hidden within Office documents by renaming streams or using hidden OLE objects. Defender view: detection of hidden macro streams or objects in documents correlated with anomalous execution.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified Detection of hidden macro streams or SetHiddenAttribute actions
Mutable Elements
Field Description
MacroScope Tune detection to specific Office apps and document types where macros are disallowed.