This detection rule, authored by Elastic, aims to identify instances where users create hidden files or directories within common writable directories on Linux systems. The specific method of hiding files is by prefacing their names with a dot (.), which is a common technique leveraged by adversaries to conceal malicious activities, maintain persistence, and evade defenses. The rule is designed to trigger alerts when processes associated with hidden file creation are detected in directories such as /tmp, /var/tmp, or /dev/shm, while filtering out benign actions from commonly used commands. False positives may arise from legitimate applications that create hidden files as part of their normal operations, such as development tools and system maintenance scripts. Therefore, an analysis of false positives and establishing appropriate exclusions is recommended. The rule requires data from Elastic Defend or Auditbeat integrations to function effectively, and has a setup process detailed for both integrations. It is categorized under the medium risk score and targeted towards threat detection in endpoint environments, particularly for Linux operating systems.