Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Hidden Files and Directories

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Pawel MazurCreated Mon Sep 06Updated Mon Jun 16d08722cd-3d09-449a-80b4-83ea2d9d4616linux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic2 selectors
detection:
    selection_commands:
        type: 'EXECVE'
        a0:
            - 'mkdir'
            - 'nano'
            - 'touch'
            - 'vi'
            - 'vim'
    selection_arguments:
        - a1|re: '(^|\/)\.[^.\/]'
        - a2|re: '(^|\/)\.[^.\/]'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
d08722cd-3d09-449a-80b4-83ea2d9d4616
Status
test
Level
low
Type
Detection
Created
Mon Sep 06
Modified
Mon Jun 16
Author
Pawel Mazur
Path
rules/linux/auditd/execve/lnx_auditd_hidden_files_directories.yml
Raw Tags
attack.defense-evasionattack.t1564.001
View on GitHub