AN0093: Analytic 0093
Use of chflags hidden or SetFile -a V commands to hide files, or creation of hidden files with leading '.'. Defender view: monitoring process execution and file metadata changes setting UF_HIDDEN attribute.
Analyst context for executives and security teams
This analytic focuses on macOS file hiding behavior: files can be concealed by setting hidden file attributes or by using a leading dot in the filename. For leaders, the practical issue is not the command itself but whether the organization can see when important files are intentionally made less visible on managed Macs. Hidden files can complicate investigations, delay containment, and weaken confidence in endpoint hygiene if macOS telemetry is incomplete.
Executive priority
Prioritize this as a macOS endpoint visibility and incident-readiness question. Security leaders should ask whether managed detection, endpoint logging, and IR procedures can identify suspicious file-hiding activity on corporate Macs, especially around sensitive directories, newly created files, or unusual process activity. This is also useful audit evidence for demonstrating that macOS endpoints are monitored beyond basic inventory and antivirus status.
Technical view
Validate coverage for macOS process execution involving file-hiding utilities and file metadata changes that set the UF_HIDDEN attribute, as well as creation of files whose names begin with a dot. Because ATT&CK does not provide tactics, relationships, or a separate detection block for this analytic, teams should treat it as a focused detection-validation item rather than a complete threat scenario. Detection engineering should correlate the file-hiding event with parent process, user, path, file creation or modification time, and surrounding endpoint activity.
Likely telemetry
- macOS process execution telemetry
- Command-line arguments for relevant file-hiding activity
- File creation events, including filenames beginning with a dot
- File metadata or attribute-change events, including UF_HIDDEN where available
- Endpoint user, host, parent process, and file path context
Detection direction
- Confirm that macOS endpoint tooling records both process execution and file metadata changes; one without the other may miss parts of this behavior.
- Tune for context: legitimate macOS and application behavior can create hidden files, so path, user, parent process, and frequency are important for reducing false positives.
- Review whether hidden-file creation in user-writable, application, temporary, or sensitive operational locations is visible and triageable.
- Use this analytic as a coverage test for macOS logging pipelines, because the official object supplies no relationship context or ATT&CK tactic to narrow intent.
Mitigation priorities
- Establish baseline visibility for macOS file creation, process execution, and file attribute changes on managed endpoints.
- Limit administrative or scripting capability where business-appropriate and ensure endpoint controls cover macOS systems consistently.
- Document IR playbooks for reviewing hidden files and associated process history during macOS investigations.
- Use detection validation results to identify telemetry gaps before relying on alerts for compliance or incident-response evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for macOS only. It names specific file-hiding behaviors and a defender view focused on process execution and file metadata changes. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take emphasizes validation and telemetry readiness rather than threat attribution or campaign context.
This summary is limited to the supplied STIX fields, external reference, and absence of relationships. It does not establish malicious intent, prevalence, active exploitation, or coverage in any environment. Local baselines and endpoint logging capabilities are required to determine practical detection value.
Analytic 0093
Use of chflags hidden or SetFile -a V commands to hide files, or creation of hidden files with leading '.'. Defender view: monitoring process execution and file metadata changes setting UF_HIDDEN attribute.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cfea32b76cba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0093Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.