Creation of Hidden Files and Directories via CommandLine

Last updated a month ago on 2024-10-17

Created 5 years ago on 2020-04-29

About

Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Defense EvasionData Source: Elastic Defend

Severity

medium

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Hide Artifacts (T1564)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

False Positive Examples

Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
not process.name in (
  "ls", "find", "grep", "git", "jq", "basename", "check_snmp", "snmpget", "snmpwalk", "cc1plus", "snap",
  "command-not-found"
)

Install detection rules in Elastic Security

Detect Creation of Hidden Files and Directories via CommandLine in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).