Creation of Hidden Files and Directories via CommandLine

About

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Defense EvasionData Source: Elastic DefendLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Hide Artifacts (T1564)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

False Positive Examples

Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.process*

Related Integrations

endpoint(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
not process.name in (
  "ls", "find", "grep", "git", "jq", "basename", "check_snmp", "snmpget", "snmpwalk", "cc1plus", "snap",
  "command-not-found", "sqlite", "apk", "fgrep", "locate", "objdump"
)