certain tools may create hidden temporary directories upon installation or as part of their normal behavior. these events can be filtered by the process arguments, username, or process name values.

t1564
linux
elastic

Techniques

T1564

Sample rules

Hidden Directory Creation via Unusual Parent

source: elastic
technicques:
- T1564

Description

This rule detects the creation of a hidden directory via an unusual parent executable. Hidden directories are directories that are not visible to the user by default. They are often used by attackers to hide malicious files or tools.

Detection logic

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "mkdir" and process.parent.executable like (
  "/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/html/*", "/opt/.*"
) and process.args like (".*", "/*/.*") and process.args_count <= 3 and not (
  process.parent.executable like ("/tmp/newroot/*", "/run/containerd/*") or
  process.command_line like ("mkdir -p .", "mkdir ./*") or
  process.parent.executable like (
    "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img"
  )
)