The MacOS Hidden Files and Directories rule is an anomaly detection analytic that flags suspicious creation of hidden files or directories on macOS endpoints. It leverages osquery process auditing results to detect commands and attributes commonly used to conceal artifacts, including chflags hidden or modify attributes via xattr with -wx and com.apple.FinderInfo. The detection aggregates by process and file context (destination, original file name, parent process, file path, user) and normalizes timestamps. When patterns indicating hidden status are observed, the rule raises an alert that can indicate attacker persistence, data concealment, or evasion. The rule maps to MITRE ATT&CK technique T1564.001 (Hide Artifacts) and is designed to surface potentially malicious activity that seeks to hide files or directories from security tooling. It includes a remediation focus on reviewing the affected destination and file, user, and process, and may be triggered by legitimate admin activity (false positives). It requires Osquery data to be deployed and a Splunk TA for osquery data to populate the Endpoint.Processes data model on macOS endpoints.