heroui logo

Hidden Files and Directories

Sigma Rules

View Source
Summary
This detection rule identifies when an adversary attempts to create hidden files or directories on a Linux system. In Unix-like operating systems, a file or directory is considered hidden if its name starts with a dot (.) character. The rule utilizes auditd, a monitoring tool for Linux, to inspect specific commands executed by users that involve the creation of files or directories, such as `mkdir`, `touch`, `vim`, `nano`, and `vi`. The rule looks for command arguments that either start with a dot or contain a path with a dot as part of its name or directory. The detection leverages the EXECVE system call, which is responsible for executing programs and can provide real-time insight into file system modifications. The thresholds for detection are set to low, indicating that while these actions could be normal, they warrant examination due to their potential malicious nature. This type of detection is crucial in scenarios where adversaries intend to obscure their activities by hiding files or directories from standard directory listings. For further information, please refer to the provided reference link.
Categories
  • Linux
  • Endpoint
Data Sources
  • File
  • Process
  • Command
ATT&CK Techniques
  • T1564.001
Created: 2021-09-06