Suspicious use of attrib.exe or PowerShell commands to set hidden attributes on files/directories. Defender view: processes modifying file attributes to 'hidden' or creating files with ADS (alternate data streams).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| MonitoredExtensions | Filter hidden file detection by sensitive file extensions (.exe, .dll, .bat). |
| ADSMonitoring | Enable detection of alternate data streams depending on organizational usage. |
Creation of files or directories with a leading '.' in privileged directories (/etc, /var, /usr/bin). Defender view: monitoring auditd logs for file creations where name begins with '.' and correlated with unusual user/process context.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | auditd:FILE | File creation with name starting with '.' |
| Command Execution (DC0064) | auditd:EXECVE | Use of mv or cp to rename files with '.' prefix |
| Field | Description |
|---|---|
| DirectoryScope | Restrict detection to critical directories to avoid noise from benign hidden files like .ssh or .config. |
Use of chflags hidden or SetFile -a V commands to hide files, or creation of hidden files with leading '.'. Defender view: monitoring process execution and file metadata changes setting UF_HIDDEN attribute.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | Execution of chflags hidden or SetFile -a V |
| File Metadata (DC0059) | macos:unifiedlog | File metadata updated with UF_HIDDEN flag |
| Field | Description |
|---|---|
| HiddenAttributeScope | Restrict detection to non-standard directories where hidden flags are unexpected. |