Detectionlowtest

Use Of Hidden Paths Or Files

Detects calls to hidden files or files located in hidden directories in NIX systems.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

David BurkettCreated Fri Dec 309e1bef8d-0fff-46f6-8465-9aa54e128c1elinux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: 'PATH'
        name|contains: '/.'
    filter:
        name|contains:
            - '/.cache/'
            - '/.config/'
            - '/.pyenv/'
            - '/.rustup/toolchains'
    condition: selection and not filter

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Related Rules

SimilarDetectionlow

Hidden Files and Directories

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

9e1bef8d-0fff-46f6-8465-9aa54e128c1e

Status

test

Level

low

Type

Detection

Created

Fri Dec 30

Author

Path

rules/linux/auditd/path/lnx_auditd_hidden_binary_execution.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001