This detection rule targets the use of the hidden attribute on files and folders within Windows environments, which is often exploited by malicious actors to obfuscate their activities. By monitoring specific commands that apply the hidden attribute (e.g., using the `attrib` command), this rule distinguishes between legitimate operations and potential evasion attempts. The use of EDR logs allows for comprehensive endpoint monitoring. The detection logic implemented here involves querying endpoint data via Splunk, specifically looking for the `+h` argument associated with file and folder attributes. It further filters the results using a regex to focus specifically on processes that involve this hiding operation. The output is then organized into a readable format. Effective detection of this technique is crucial as it is commonly employed in various cyber attack sequences, especially within the context of the well-known atomic test for defense evasion techniques.