Creation of Hidden Files and Directories
editCreation of Hidden Files and Directoriesedit
Users can mark specific files as hidden simply by adding a .
as the first
character in the file or folder name. Adversaries can use this to their
advantage to hide files and folders on the system for persistence and defense
evasion. This rule looks for hidden files or folders in common writable
directories.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 33
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Defense Evasion
Version: 5 (version history)
Added (Elastic Stack release): 7.9.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editCertain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values.
Rule query
editevent.category:process AND event.type:(start or process_started) AND process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") AND process.args:/\.[a-zA-Z0-9_\-][a-zA-Z0-9_\-\.]{1,254}/ AND NOT process.name:(ls or find)
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Hide Artifacts
- ID: T1564
- Reference URL: https://attack.mitre.org/techniques/T1564/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Rule version historyedit
- Version 5 (7.11.2 release)
-
- Formatting only
- Version 4 (7.11.0 release)
-
- Formatting only
- Version 3 (7.10.0 release)
-
- Formatting only
- Version 2 (7.9.1 release)
-
- Formatting only