This detection rule is designed to identify instances where adversaries use the 'chflags' command to set the 'hidden' flag on files in Unix-like systems. By marking files as hidden, attackers can obscure their presence, complicating detection efforts by security teams. The rule targets file creation events focusing on Linux and macOS operating systems, specifically tracking processes invoking the 'chflags' command. It highlights the importance of monitoring behavior that aligns with the MITRE ATT&CK technique T1564 for hiding artifacts, particularly in the context of defense evasion tactics. Analysts are guided on investigation steps to verify flagged activities while addressing potential false positives from legitimate administrative actions, backups, and user customizations.