Abuse of file/registry attributes to hide malicious files, directories, or services. Defender view: detection of attrib.exe setting hidden/system flags, creation of Alternate Data Streams, or registry keys altering file visibility.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| FileExtensions | Filter for sensitive file types likely targeted for hiding. |
| ADSDetection | Enable or disable detection of Alternate Data Streams depending on business use. |
Hidden file creation using leading '.' or file attribute changes with chattr (immutable/hidden flags). Defender view: detect execution of chattr, lsattr anomalies, and unusual hidden files appearing in system directories.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:EXECVE | Execution of chattr to set +i or +a attributes |
| File Creation (DC0039) | auditd:FILE | Creation of hidden files (.*) in sensitive directories (/etc, /var, /usr/bin) |
| Field | Description |
|---|---|
| DirectoryScope | Restrict hidden file detection to privileged system directories. |
| AttributeFlags | Tune for specific chattr flags (+i immutable, +a append-only) most abused for persistence. |
Hidden files via 'chflags hidden' or Apple-specific attributes, LaunchAgents/LaunchDaemons placed in non-standard hidden directories. Defender view: detect command execution modifying file flags and unusual plist creation in hidden paths.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | Execution of chflags hidden or setfile -a V |
| File Creation (DC0039) | macos:unifiedlog | Creation of LaunchAgents/LaunchDaemons in hidden or non-standard directories |
| Field | Description |
|---|---|
| HiddenDirectories | List of directories monitored for hidden plist or agent placement. |
Abuse of VMFS or ESXi shell to hide datastore files, renaming/moving VMDK or VMX files into hidden directories. Defender view: anomalous ESXi shell commands or file operations obscuring VM artifacts.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:shell | mv, rename, or chmod commands moving VM files into hidden directories |
| File Metadata (DC0059) | esxi:syslog | Datastore file hidden or renamed unexpectedly |
| Field | Description |
|---|---|
| VMFileScope | Restrict to VMDK, VMX, or log files critical for VM operations. |
Malicious macros or embedded objects hidden within Office documents by renaming streams or using hidden OLE objects. Defender view: detection of hidden macro streams or objects in documents correlated with anomalous execution.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Detection of hidden macro streams or SetHiddenAttribute actions |
| Field | Description |
|---|---|
| MacroScope | Tune detection to specific Office apps and document types where macros are disallowed. |